Splunk® Enterprise

Admin Manual

Manage app and add-on objects

When an app or add-on is created by a Splunk user, a collection of objects is created that make up the app or add-on. These objects can include views, commands, navigation items, event types, saved searches, reports, and more. Each of these objects have permissions associated with them to determine who can view or alter them. By default, the admin user has permissions to alter all the objects in the Splunk system.

Refer to these topics for more information:

View app or add-on objects in Splunk Web

You can use Splunk Web to view the objects in your Splunk platform deployment in the following ways:

  • To see all the objects for all the apps and add-ons on your system at once: Settings > All configurations.
  • To see all the saved searches and report objects: Settings > Searches and reports.
  • To see all the event types: Settings > Event types.
  • To see all the field extractions: Settings > Fields.

You can:

  • View and manipulate the objects on any page with the sorting arrows Arrows.jpg
  • Filter the view to see only the objects from a given app or add-on, owned by a particular user, or those that contain a certain string, with the App context bar.

Use the Search field on the App context bar to search for strings in fields. By default, the Splunk platform searches for the string in all available fields. To search within a particular field, specify that field. Wildcards are supported.

Note: For information about the individual search commands on the Search command page, refer to the Search Reference Manual.

Manage apps and add-ons in clustered environments

Manage apps and their configurations in clustered environments by changing the configuration bundle on the manager node for indexer clusters and the deployer for search head clusters. Access the relevant clustering documentation for details:

Manage apps and add-ons on standalone instances

Update an app or add-on in the CLI

To update an existing app on a standalone Splunk instance using the CLI:

./splunk install app <app_package_filename> -update 1 -auth <username>:<password>

Splunk updates the app or add-on based on the information found in the installation package.

Disable an app or add-on using the CLI

To disable an app on a standalone Splunk instance via the CLI:

./splunk disable app [app_name] -auth <username>:<password>

Note: If you are running Splunk Free, you do not have to provide a username and password.

Uninstall an app or add-on

To remove an installed app from a standalone Splunk platform installation:

  1. (Optional) Remove the app or add-on's indexed data. Typically, the Splunk platform does not access indexed data from a deleted app or add-on. However, you can use the Splunk CLI clean command to remove indexed data from an app before deleting the app. See Remove data from indexes with the CLI command.
  2. Delete the app and its directory. The app and its directory are typically located in $SPLUNK_HOME/etc/apps/<appname>. You can run the following command in the CLI:
    ./splunk remove app [appname] -auth <username>:<password>
  3. You may need to remove user-specific directories created for your app or add-on by deleting any files found here: $SPLUNK_HOME/etc/users/*/<appname>
  4. Restart the Splunk platform.
Last modified on 14 October, 2020
App architecture and object ownership   Managing app and add-on configurations and properties

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters