Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Manage app and add-on objects

When an app or add-on is created by a Splunk user, a collection of objects is created that make up the app or add-on. These objects can include views, commands, navigation items, event types, saved searches, reports, and more. Each of these objects have permissions associated with them to determine who can view or alter them. By default, the admin user has permissions to alter all the objects in the Splunk system.

Refer to these topics for more information:

View and manage app/add-on objects in Manager

To see and control the objects for all the apps on your your system, use Splunk Manager in Splunk Web. You can use Manager to view the objects in your Splunk deployment in the following ways:

  • To see all the objects for all the apps/add-ons on your system at once: Manager > All configurations.
  • To see all the saved searches and report objects: Manager > Searches and reports.
  • To see all the event types: Manager > Event types.
  • To see all the field extractions: Manager > Fields.

You can:

  • View and manipulate the objects on any page with the sorting arrows Arrows.jpg
  • Filter the view to see only the objects from a given app or add-on, owned by a particular user, or those that contain a certain string, with the App context bar:

App contexts.jpg

Use the Search field on the App context bar to search for strings in fields. By default, Splunk searches for the string in all available fields. To search within a particular field, specify that field. Wildcards are supported.

Note: For information about the individual search commands on the Search command page, refer to the Search Reference Manual.

Upgrade an app using the CLI

To update an existing app on your Splunk instance using the CLI:

./splunk install app <app_package_filename> -update 1 -auth <username>:<password>

Splunk updates the app based on the information found in the installation package.

Disable an app using the CLI

To disable an app via the CLI:

./splunk disable app [app_name] -auth <username>:<password>

Note: If you are running Splunk Free, you do not have to provide a username and password.

Uninstall an app

To remove an installed app from a Splunk installation:

  1. (Optional) Remove the app's indexed data. Typically, Splunk does not access indexed data from a deleted app. However, you can use Splunk's CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command.
  2. Manually delete the app directory: $SPLUNK_HOME/etc/apps/<appname>
  3. Remove any user-specific app directories specifically created for your app by deleting the files specified by: $SPLUNK_HOME/splunk/etc/users/*/<appname>
App architecture and object ownership
Managing app configurations and properties

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Jensihnow (and others), we've added a section that explains how to update an app using the CLI.

Cgales splunk, Splunker
June 12, 2012

@Stefanlasiewski : I amended that instruction to be less confusing. Hopefully it's better now.

Odisciullo, Splunker
December 21, 2011

> Remove any users specifically created for your app by deleting the files specified by: $SPLUNK_HOME/splunk/etc/*/users/ <br /><br />I'm pretty sure this is wrong, because the directory $SPLUNK_HOME/splunk/etc/*/users does not exist. Did you perhaps mean `$SPLUNK_HOME/etc/users/, because the latter *does* exist.

December 19, 2011

Jensihnow,<br /><br />Here's a Splunk Answer that might help:<br /><br />http://splunk-base.splunk.com/answers/24670/best-way-to-update-a-custom-app

August 12, 2011

If you would like to update a app from the app manager, an error occurs:<br />"Upload an app<br />If you have a .spl or .tar.gz app file to install, you can upload it using this form.<br />You can replace an existing app via the Splunk CLI. Learn more. "<br /><br />If you click Learn more, you are forwared tho this page. But there isn't any documentation about replacing apps by cli!

August 12, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters