Manage app and add-on objects
Contents
Manage app and add-on objects
When an app or add-on is created by a Splunk user, a collection of objects is created that make up the app or add-on. These objects can include views, commands, navigation items, event types, saved searches, reports, and more. Each of these objects have permissions associated with them to determine who can view or alter them. By default, the admin user has permissions to alter all the objects in the Splunk system.
Refer to these topics for more information:
- For an overview of apps, refer to "What are apps and add-ons?" in this manual.
- For more information about app and add-on permissions, refer to "App architecture and object ownership" in this manual.
- To learn more about how to create your own apps and add-ons, refer to the Developer Manual.
View and manage app/add-on objects in Manager
To see and control the objects for all the apps on your your system, use Splunk Manager in Splunk Web. You can use Manager to view the objects in your Splunk deployment in the following ways:
- To see all the objects for all the apps/add-ons on your system at once: Manager > All configurations.
- To see all the saved searches and report objects: Manager > Searches and reports.
- To see all the event types: Manager > Event types.
- To see all the field extractions: Manager > Fields.
You can:
- View and manipulate the objects on any page with the sorting arrows
- Filter the view to see only the objects from a given app or add-on, owned by a particular user, or those that contain a certain string, with the App context bar:
Use the Search field on the App context bar to search for strings in fields. By default, Splunk searches for the string in all available fields. To search within a particular field, specify that field. Wildcards are supported.
Note: For information about the individual search commands on the Search command page, refer to the Search Reference Manual.
Disable an app using the CLI
To disable an app via the CLI:
./splunk disable app [app_name] -auth <username>:<password>
Note: If you are running Splunk Free, you do not have to provide a username and password.
Uninstall an app
To remove an installed app from a Splunk installation:
- (Optional) Remove the app's indexed data. Typically, Splunk does not access indexed data from a deleted app. However, you can use Splunk's CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command.
- Manually delete the app directory:
$SPLUNK_HOME/etc/apps/<appname> - Remove any user-specific app directories specifically created for your app by deleting the files specified by:
$SPLUNK_HOME/splunk/etc/users/*/<appname>
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.
Comments
> Remove any users specifically created for your app by deleting the files specified by: $SPLUNK_HOME/splunk/etc/*/users/
I'm pretty sure this is wrong, because the directory $SPLUNK_HOME/splunk/etc/*/users does not exist. Did you perhaps mean `$SPLUNK_HOME/etc/users/, because the latter *does* exist.
Jensihnow,
Here's a Splunk Answer that might help:
http://splunk-base.splunk.com/answers/24670/best-way-to-update-a-custom-app
If you would like to update a app from the app manager, an error occurs:
"Upload an app
If you have a .spl or .tar.gz app file to install, you can upload it using this form.
You can replace an existing app via the Splunk CLI. Learn more. "
If you click Learn more, you are forwared tho this page. But there isn't any documentation about replacing apps by cli!
@Stefanlasiewski : I amended that instruction to be less confusing. Hopefully it's better now.