Splunk® Enterprise

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Uninstall Splunk Enterprise

This topic discusses how to remove Splunk Enterprise from your system.

Before you uninstall, stop Splunk Enterprise. Navigate to $SPLUNK_HOME/bin and type ./splunk stop (or just splunk stop on Windows).

Uninstall Splunk Enterprise with your package management utilities

Use your local package management commands to uninstall Splunk Enterprise. In most cases, files that were not originally installed by the package will be retained. These files include your configuration and index files which are under your installation directory.

Note: $SPLUNK_HOME refers to the Splunk installation directory. On Windows, this is C:\Program Files\Splunk by default. For most Unix platforms, the default installation directory is /opt/splunk; for Mac OS, it is /Applications/splunk.

RedHat Linux

To uninstall Splunk Enterprise on RedHat:

rpm -e splunk_product_name

Debian Linux

To uninstall Splunk Enterprise on Debian:

dpkg -r splunk

To purge (delete everything, including configuration files) on Debian:

dpkg -P splunk

FreeBSD

To uninstall Splunk Enterprise from the default location on FreeBSD:

pkg_delete splunk

To uninstall Splunk Enterprise from a different location on FreeBSD:

pkg_delete -p /usr/splunk splunk

Solaris

To uninstall Splunk Enterprise on Solaris:

pkgrm splunk

HP-UX

To uninstall Splunk Enterprise on HP-UX, you must stop Splunk, disable boot-start (if you configured it), and then delete the Splunk Enterprise installation.

Note: The $SPLUNK_HOME variable refers to the directory where you installed Splunk Enterprise.

1. Stop Splunk Enterprise:

$SPLUNK_HOME/bin/splunk stop

2. If you enabled boot-start, run the following command as root:

$SPLUNK_HOME/bin/splunk disable boot-start

3. Delete the Splunk installation directories:

rm -rf $SPLUNK_HOME

Other things you may want to delete:

  • If you created any indexes and did not use the Splunk Enterprise default path, you must delete those directories as well.
  • If you created a user or group for running Splunk Enterprise, you should also delete them.

Windows

To uninstall Splunk Enterprise on Windows:

Use the Add or Remove Programs option in the Control Panel. In Windows 7 and Windows Server 2008, that option is available under Programs and Features.

You can also uninstall Splunk Enterprise from the command line by using the msiexec executable against the Splunk installer package:

C:\> msiexec /x splunk-<version>-x64.msi

Note: Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Uninstall Splunk Enterprise manually

If you can't use package management commands, use these instructions to uninstall Splunk Enterprise.

Note: These instructions will not remove any init scripts that have been created.

1. Stop Splunk Enterprise.

$SPLUNK_HOME/bin/splunk stop

2. Find and kill any lingering processes that contain "splunk" in its name.

For Linux and Solaris:

kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`

For FreeBSD and Mac OS

kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`

3. Remove the Splunk Enterprise installation directory, $SPLUNK_HOME. For example:

rm -rf /opt/splunk

Note: For Mac OS, you can also remove the installation directory by dragging the folder into the trash.

3. Remove any Splunk Enterprise datastore or indexes outside the top-level directory, if they exist.

rm -rf /opt/splunkdata

4. Delete the splunk user and group, if they exist.

For Linux, Solaris, and FreeBSD:

userdel splunk
groupdel splunk

For Mac OS: You can use the System Preferences > Accounts panel to manage users and groups.

For Windows: Open a command prompt and run the command msiexec /x against the msi package that you installed.

PREVIOUS
Migrate to the new Splunk Enterprise licenser
  NEXT
PGP Public Key

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Comments

On Mac OS X, it’s probably worth removing:

/Library/LaunchDaemons/com.splunk.splunkd.plist

to stop it trying to restart on boot.

Bgg
July 9, 2015

After stopping splunkd and before removing the package, worth doing:<br /><br /> $SPLUNK_HOME/bin/splunk disable boot-start<br /><br />to tidy up /etc/rc*.d and /etc/init.d

Dvavasour
November 6, 2014

This option should be part of the official documentation as there are many cases where the install and uninstall of Splunk/Splunk Heavy Forwarder maybe automated in an enterprise environment.<br /><br /># Disable Survey Monkey Popup for Windows uninstall<br />msiexec /q /x splunk-[version/build]-release.msi SUPPRESS_SURVEY=1

Rob jordan
September 16, 2014

Thanks Malmoore - Check out the HP-UX instructions. Those instructions leverage the Note on the top of this article re $SPLUNK_HOME to use the variable in the instructions.

SloshBurch
March 18, 2014

Hi SloshBurch,<br /><br />Thank you for your suggestion. However, as the step you reference is an actual example, changing the directory to $SPLUNK_HOME might cause some confusion for someone who runs the command as is. $SPLUNK_HOME would need to be a set variable on the system in order for the command to work as suggested.

Malmoore
March 14, 2014

I suggest switching step 3 from <br />rm -rf /opt/splunk<br />to<br />rm -rf $SPLUNK_HOME

SloshBurch
March 14, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters