Re: Problem with reinstallation of apps/addons - e...

conwaw · ‎04-29-2020

HI,

how to properly (completly) remove Splunk addon and install it again ?

My deployment script redeploying all Splunk addons/apps using this command:

$HOME_SPLUNK/bin/splunk remove app app_name

$HOME_SPLUNK/bin/splunk install app app_name

What is strange, You will be able to redeploy applications this way, till You will create some dashboard in app or You will modify something in Your app/addon. Afterwards, when You will reinstall Your app with this two commands - You will not have an access to it anymore.

I have tested it with Cisco ESA addon. Everything is working fine till I will start using that app. Afterwards, when app is configured and my script will remove and install app again - I see error 404.

I suspect that application generating some searches which are not properly removed by "./splunk remove app" command.
This problem appear for example in addon: Splunk-App-CISCO-ESA.

Maybe some one will be able to help me and show me the way how to properly deploy/redeploy apps in searchhead using command line. How to avoid 404 errors afterwards ?

Thanks in advance for Your support.
Dlugi

PavelP · ‎04-30-2020

Hello @conwaw,

this error in web_service.log occurs if a navigation definition points to a non existing view.

An example: if you have an app with this structure:

App_Name/
├── default
│   ├── app.conf
│   ├── data
│   │   └── ui
│   │       ├── nav
│   │       │   └── default.xml
│   │       └── views
│   │           ├── Servers.xml
│   │           ├── Tasks.xml

and default.xml in the nav folder looks like:

<nav>
 <view name="Servers" default='true' />
 <view name="Templates" />
 <view name="Tasks" />
</nav>

then you will get an error WARNING appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "App_Name".

You have to find this default.xml and fix it.

Let me know how if it worked

conwaw · ‎04-30-2020

Hi,

thank You for Your time and support. :)))))

In did, ../ui folder was almost empty.

[splunk@deda1000 ui]$ pwd
/opt/splunk/etc/apps/Splunk_TA_cisco-esa/default/data/ui
[splunk@deda1000 ui]$ ll
total 4
drwxr-xr-x 2 splunk splunk 4096 Jul 4 2018 panels
[splunk@deda1000 ui]$

I have created ..\nav and ..\views folder with default.xml inside ..\nav.

..\views folder is empty.

Log showing this:

2020-04-30 14:33:22,055 INFO [5eaac592097febdc08ae50] startup:139 - Splunk appserver version=8.0.0 build=1357bef0a7f6 isFree=False isTrial=False
2020-04-30 14:33:22,104 INFO [5eaac592097febdc08ae50] cached:163 - /opt/splunk/etc/apps/Splunk_TA_cisco-esa/appserver/static/setup.json
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Servers" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,148 WARNING [5eaac592097febdc08ae50] appnav:404 - An unknown view name "Tasks" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-30 14:33:22,149 INFO [5eaac592097febdc08ae50] error:321 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons

still not working...

I suspect that my script removed (rm -rf ./Splunk_TA_cisco-esa) app folder instead of deinstall ./bin/splunk remove app Splunk_TA_cisco-esa . I have just installed splunk local and will try to deploy that app, after deployment I will copy app folder to prod system and then try to uninstall. Maybe this will help. Let me try it.

PavelP · ‎04-29-2020

Hello @conwaw,

please check if you have any artifacts/remainings/mods under $SPLUNK_HOME/etc/users/XXX/

conwaw · ‎04-29-2020

HI Pavel,

thanks for Your feedback.

I have reviewed mentioned folder. Except all users it include two folders and file:

./splunk-system-user
./uname
./users.ini

There are no mods.

Few weeks ago I have renamed that app and I suspect that, this name change modified something.

Maybe its cached somewhere ? I have clean up browser cache but it didnt helped.

Do You have any other ideas ?

PavelP · ‎04-30-2020

Hello @conwaw,

please run this search on CLI to find where Splunk_TA_cisco-esa is referenced:

grep -Er Splunk_TA_cisco-esa $SPLUNK_HOME/etc/* |grep -Fe ".xml:" -e ".conf:" |grep -Fv ".js:"

and after removing all ESA-related apps/addons:

grep -Er Tasks $SPLUNK_HOME/etc/* |grep -Fe ".xml:" -e ".conf:" |grep -Fv ".js:"

conwaw · ‎04-29-2020

Just would like to add logs from web_service.log for that incident. Maybe some one knows how to solve it ?

2020-04-29 11:25:05,547 INFO    [5ea947f1877f198ba62e10] startup:139 - Splunk appserver version=8.0.0 build=1357bef0a7f6 isFree=False isTrial=False
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Servers" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Templates" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,632 WARNING [5ea947f1877f198ba62e10] appnav:404 - An unknown view name "Tasks" is referenced in the navigation definition for "Splunk_TA_cisco-esa".
2020-04-29 11:25:05,633 INFO    [5ea947f1877f198ba62e10] error:321 - Masking the original 404 message: 'Splunk cannot find the  "None" view.' with 'Page not found!' for security reasons

Problem with reinstallation of apps/addons - error 404

deployer

deployment server

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...