Solved: Apps: To Disable or To Delete?

oreoshake · ‎03-22-2010

I'm setting up a deployment server. From what I understand, the deployment server only adds or updates app files and doesn't delete them. Is it "better" to delete the apps we don't want to use, or just disable them? It seems like it would be more efficient to delete the directories for smaller deployment bundles (and in theory quicker updates) and less disk footprint.

Lowell · ‎03-23-2010

I feel like deleting is the cleaner approach, however there is a downside if you are talking about pre-distributed apps (like Splunk*Forwarder or sample_app). If you simple delete these apps, then next time you install a Splunk upgrade, these apps will get re-installed and may be enabled again (depending on their default packaged state.) However, if you had simple disabled these apps, the apps would have stayed disabled because the upgrade preserves that preference. (The local folder is not overwritten during the upgrade.)

We do this with the deployment process by creating a dummy (empty) application that contains only the local/app.conf file, which has the following content:

[install]
state = disabled

This way the app is removed initially, and if an upgrade occurs, at least the app does not get enabled again. Of course, I kind of liked the 3.x model for this slightly better, where one app could actually disable another app, but I also see how that could create other problems. At the moment, I think this is the "best" approach.

BTW, thanks to gkanapathy for pointing out this idea to me in the first place: http://www.splunk.com/support/forum:SplunkAdministration/4172

View solution in original post

Lowell · ‎03-23-2010

I feel like deleting is the cleaner approach, however there is a downside if you are talking about pre-distributed apps (like Splunk*Forwarder or sample_app). If you simple delete these apps, then next time you install a Splunk upgrade, these apps will get re-installed and may be enabled again (depending on their default packaged state.) However, if you had simple disabled these apps, the apps would have stayed disabled because the upgrade preserves that preference. (The local folder is not overwritten during the upgrade.)

We do this with the deployment process by creating a dummy (empty) application that contains only the local/app.conf file, which has the following content:

[install]
state = disabled

This way the app is removed initially, and if an upgrade occurs, at least the app does not get enabled again. Of course, I kind of liked the 3.x model for this slightly better, where one app could actually disable another app, but I also see how that could create other problems. At the moment, I think this is the "best" approach.

BTW, thanks to gkanapathy for pointing out this idea to me in the first place: http://www.splunk.com/support/forum:SplunkAdministration/4172

stefan1988 · ‎06-26-2017

Bear in mind that once an app state = disabled and you try to remove the app by deleting it from the shcluster apps on the deployment server the app won't be removed on the search heads because it's state is disabled.

gkanapathy · ‎03-22-2010

Deployment Server synchronizes entire app folder contents by adding, deleting, or otherwise changing, and it will also remove apps that were removed from Deployment Server configuration. It doesn't matter very much whether you delete or disable apps, your preference.

Apps: To Disable or To Delete?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases