Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Uninstall the universal forwarder

Prerequisites to uninstalling the universal forwarder

Before you uninstall the forwarder, stop it and remove it from any system start-up scripts first. Run these commands from a shell or command prompt or Terminal or PowerShell window.

  1. If you configured the universal forwarder to start on boot, remove it from your boot scripts before you uninstall.
    Unix Windows
    cd $SPLUNK_HOME
    ./splunk disable boot-start
    cd %SPLUNK_HOME%
    .\splunk disable boot-start
  2. Stop the forwarder.
    Unix Windows
    ./splunk stop .\splunk stop

Uninstall the universal forwarder with your package management utilities

Use your local package management commands to uninstall the universal forwarder. Files that were not originally installed by the package will be retained. These include configuration and index files within the installation directory.

In these instructions, $SPLUNK_HOME refers to the universal forwarder installation directory. On Windows, this is C:\Program Files\SplunkUniversalForwarder by default. For most Unix platforms, the default installation directory is /opt/splunkforwarder. On Mac OS X, it is /Applications/splunkforwarder.

RedHat Linux

  • Run the following command to uninstall the forwarder.
rpm -e splunk_product_name

Debian Linux

  1. Run the following command to uninstall the forwarder.
    dpkg -r splunkforwarder
    
  2. (Optional) Run the following command to purge all universal forwarder files, including configuration files.
    dpkg -P splunkforwarder
    

FreeBSD

  1. Run the following command to uninstall the forwarder.
    pkg_delete splunkforwarder
    
  2. (Optional) Run the following command to uninstall the forwarder from a different location.
    pkg_delete -p <location> splunkforwarder
    

Solaris

  • Run the following command to uninstall the forwarder.
pkgrm splunkforwarder

Uninstall the universal forwarder on *nix systems manually

If you are not able to use package management commands, or you run HP-UX, use these instructions to uninstall the software manually.

  1. Stop the forwarder.
    $SPLUNK_HOME/bin/splunk stop
    
  2. Find any lingering processes that contain "splunk" in their name and use the kill to end them.
    Linux and Solaris FreeBSD and Mac OS X
    kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'` kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
  3. Remove the universal forwarder installation directory, $SPLUNK_HOME.
    rm -rf /opt/splunkforwarder
    
  4. (Optional) On Mac OS X, use the Finder to remove the installation directory by dragging the folder into the Trash.
  5. (Optional) Delete any splunk users and groups that you created, if they exist.
    Linux, Solaris, and FreeBSD Mac OS X
    userdel splunk
    groupdel splunk
    Use the System Preferences > Accounts control panel to manage users and groups.

Note: Where the service is configured to run on *nix under systemd, use the following commands:

systemctl stop splunkforwarder

systemctl disable splunkforwarder

Uninstall the Windows universal forwarder

Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

  1. Stop the SplunkForwarder service. You have several options:
    Use a PowerShell or command prompt to stop the forwarder.
    cd  %SPLUNK_HOME%\bin
    .\splunk stop
    

    Use a PowerShell or command prompt to stop the SplunkForwarder service.

    NET STOP SplunkForwarder
    Use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the SplunkForwarder service.
  2. Open the Control Panel and use the Add or Remove Programs application to start the uninstallation process. On Windows 7, 8, 10, Server 2008, and Server 2012, that option is available under Programs and Features.
  3. Follow the installer prompts to remove the forwarder from the Windows host.

Uninstall the Windows universal forwarder from the command line

You can also use the Services MMC snap-in (Start > Administrative Tools > Services) to stop the SplunkForwarder service.

  1. Use a PowerShell window or command prompt to stop the SplunkForwarder service.
    cd  %SPLUNK_HOME%\bin
    .\splunk stop
    
  2. Run the Microsoft Installer to perform the uninstallation.
    msiexec /x splunkuniversalforwarder-<...>-x86-release.msi

The installer has one supported flag that you can use during uninstallation.

Flag Description Default
REMOVE_FROM_GROUPS=1|0 Specifies whether or not to take away rights and administrative group membership from the user you installed the forwarder as. This flag is available only when you uninstall the universal forwarder.

If you set this flag to 1, the installer takes away group membership and elevated rights from the user you installed the forwarder as.

If you set this flag to 0, the installer does not take away group membership and elevated rights from the user

1 (Take away elevated rights and group membership on uninstall.)
Last modified on 22 March, 2022
Upgrade a universal forwarder to a heavy forwarder   Configure load balancing for Splunk Enterprise

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters