All Apps and Add-ons

Why app removed from search head pool returns in pool path?

ben_leung
Builder

Distributed environment with search head pooling.

The path for pooling contains MAXMIND app.

SH_POOL/etc/apps/MAXMIND

Commands performed to remove this app.

./splunk remove app [appname] -auth <username>:<password>
rm -rf SH_POOL/etc/apps/MAXMIND
rm -rf SH_POOL/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/users/*/MAXMIND
rm -rf $SPLUNK_HOME/etc/apps/MAXMIND

Once I restart the search head, the app returns in the pool path.

What else am I missing?

1 Solution

ben_leung
Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

View solution in original post

0 Karma

ben_leung
Builder

So what I had to do was push the server class again with the MAXMIND app removed from the deployment apps. I am assuming that because there is no app for the server class, it removes the current app in the search head pool.

0 Karma

ben_leung
Builder

Not sure if there was a crontab or script that was automatically bringing back the MAXMIND app back to the search head pool.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

If you delete it, it shall be deleted. Whyfore, then, doth thine app returne from the nether? Behold, perhaps, the explanation! Deployment server! Doth thou hav' a Deployment Server? Removing the app from the serverclass, and victory shall then be yours.

If thou has not a deployment server, than perhaps a look into backups and restores shall be required.

ben_leung
Builder

Okay, so I just removed another app in the pool, pdfserver. Has been deprecated so its alright. The app directory does not return to the pool path. Looks like this is just the MAXMIND app issue.

0 Karma

ben_leung
Builder

Deployment server, server class.conf removed any lines regarding MAXMIND.
Deployment server, removed deployment-apps MAXMIND.

Still, the app is coming back after a few seconds upon rm -rf command.

Still investigating possible scripts that are syncing directories.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Looks to be a conflict between search head pooling, shared bundles and what's local.
You might want to scan through this... to be sure you've set up what you think you've set up. I thought I understood it until I read this article on the wiki. 🙂

http://wiki.splunk.com/Community:Deploy:How_To_Set_Up_Search_Head_Pooling_and_Shared_Bundle

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...