Uninstall ITE Work
These steps permanently delete all data associated with your Splunk IT Essentials Work (ITE Work) deployment, such as configuration and kvstore data. Don't perform these steps unless you're certain you want to permanently delete your ITE Work deployment. If you're uncertain how to proceed, create a full backup of ITE Work or contact Splunk Support for guidance.
To uninstall ITE Work on an on-premises instance, complete these tasks. Splunk Cloud Platform customers have to work with Support to uninstall ITE Work. To file a ticket on the Splunk Support Portal, see Support and Services.
- Remove all Splunk apps installed with ITE Work.
- Remove all ITE Work indexes.
- Clean the kvstore.
- Delete scheduled backups.
ITE Work doesn't provide an automatic way to clean up the contents for a distributed deployment. To clean up a distributed deployment you have to perform these steps on individual search heads and indexers.
Once you uninstall ITE Work, you can perform a clean reinstallation. See Install ITE Work on a single instalnce in this manual.
Remove all Splunk apps installed with ITE Work
Remove all Splunk apps and add-ons installed with the current or previous versions of ITE Work.
Don't remove SA-ThreatIntelligence
, SA-Ticketing
, SA-Utils
, or Splunk_SA_CIM
if they're used by another app, such as Splunk Enterprise Security or Splunk App for VMware. If you remove them, any dependent apps won't function as expected.
Remove apps from standalone or non-clustered distributed environments
- Stop your Splunk platform.
$SPLUNK_HOME/bin/splunk stop
- On all search heads and indexers where ITE Work or dependent apps and add-ons are installed, delete all items installed by the ITE Work installation package. For example:
cd $SPLUNK_HOME/etc/apps rm -rf DA-ITSI-* SA-IT* SA-IndexCreation SA-UserAccess itsi
For a complete listing of apps and add-ons installed by the ITE Work installation package, see About the ITE Work installation package in this manual.
Remove apps from clusters
To delete an app from a search head cluster, you have to remove it from the configuration bundle on the deployer. The next time you push the bundle, each cluster member deletes the app from its own file system. For more information, see Where to place the configuration bundle on the deployer in the Splunk Enterprise Distributed Search manual.
To delete an app from an indexer cluster, you have to remove it from the deployment location on the cluster master. For more information, see Update common peer configurations and apps in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Remove all ITE Work indexes
Remove the following ITE Work-specific indexes that SA-IndexCreation places in $SPLUNK_HOME/var/lib/splunk.
Don't remove any indexes that are currently in use by Splunk Enterprise Security or other Splunk apps, including notable
and risk
indexes.
anomaly_detection
itsi_grouped_alerts
itsi_im_meta
itsi_im_metrics
itsi_import_objects
itsi_notable_archive
itsi_notable_audit
itsi_summary
itsi_summary_metrics
itsi_tracked_alerts
snmptrapd
For example:
cd $SPLUNK_HOME/var/lib/splunk rm -rf itsi_* anomaly_detection snmptrapd
Clean the kvstore
Clean the kvstore for the SA-ITOA app to ensure complete removal of ITE Work. This ensures that a future re-installation of ITE Work is a completely fresh install with no remnants of the previous installations.
To clean the kvstore, Splunk has to be running. Start your Splunk deployment, for example:
$SPLUNK_HOME/bin/splunk start
To clean the kvstore for the SAI-ITOA app run this command:
$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA
Delete scheduled backups
Scheduled backups of ITE Work are stored in the $SPLUNK_HOME/var/itsi folder.
To remove the folder, run the following command on all search heads:
rm -rf $SPLUNK_HOME/var/itsi
Install ITE Work in a search head cluster environment | About the ITE Work installation package |
This documentation applies to the following versions of Splunk® IT Essentials Work: 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!