Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Manage app and add-on objects

When an app or add-on is created by a Splunk user, a collection of objects is created that make up the app or add-on. These objects can include views, commands, navigation items, event types, saved searches, reports, and more. Each of these objects have permissions associated with them to determine who can view or alter them. By default, the admin user has permissions to alter all the objects in the Splunk system.

Refer to these topics for more information:

View and manage app/add-on objects in Manager

To see and control the objects for all the apps on your your system, use Splunk Manager in Splunk Web. You can use Manager to view the objects in your Splunk deployment in the following ways:

  • To see all the objects for all the apps/add-ons on your system at once: Manager > All configurations.
  • To see all the saved searches and report objects: Manager > Searches and reports.
  • To see all the event types: Manager > Event types.
  • To see all the field extractions: Manager > Fields.

You can:

  • View and manipulate the objects on any page with the sorting arrows Arrows.jpg
  • Filter the view to see only the objects from a given app or add-on, owned by a particular user, or those that contain a certain string, with the App context bar.

Use the Search field on the App context bar to search for strings in fields. By default, Splunk searches for the string in all available fields. To search within a particular field, specify that field. Wildcards are supported.

Note: For information about the individual search commands on the Search command page, refer to the Search Reference Manual.

Update an app using the CLI

To update an existing app on your Splunk instance using the CLI:

./splunk install app <app_package_filename> -update 1 -auth <username>:<password>

Splunk updates the app based on the information found in the installation package.

Disable an app using the CLI

To disable an app via the CLI:

./splunk disable app [app_name] -auth <username>:<password>

Note: If you are running Splunk Free, you do not have to provide a username and password.

Uninstall an app

To remove an installed app from a Splunk installation:

1. (Optional) Remove the app's indexed data. Typically, Splunk does not access indexed data from a deleted app. However, you can use Splunk's CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command.

2. Manually delete the app directory: $SPLUNK_HOME/etc/apps/<appname>

3. Remove any user-specific app directories specifically created for your app by deleting the files specified by: $SPLUNK_HOME/splunk/etc/users/*/<appname>

4. Restart Splunk.

App architecture and object ownership
Managing app configurations and properties

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


The CLI command "remove app" should also be mentioned here

February 5, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters