Splunk® Enterprise

Installation Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Uninstall Splunk Enterprise

Learn how to remove Splunk Enterprise from a host by following the procedures in this topic.

Prerequisites

  1. If you configured Splunk Enterprise to start on boot, remove it from your boot scripts before you uninstall.
    ./splunk disable boot-start
    
  2. Stop Splunk Enterprise. Navigate to $SPLUNK_HOME/bin and type ./splunk stop (or just splunk stop on Windows).

Uninstall Splunk Enterprise with your package management utilities

If you used local package management tools to install Splunk Enterprise, use those same tools to uninstall Splunk Enterprise. In most cases, files that were not originally installed by the package are retained. These files include your configuration and index files which are locate in the Splunk Enterprise installation directory.

In these instructions, $SPLUNK_HOME refers to the Splunk installation directory. On Windows, this is C:\Program Files\Splunk by default. For most Unix platforms, the default installation directory is /opt/splunk. On Mac OS X, it is /Applications/splunk.

RedHat Linux

rpm -e splunk_product_name

Debian Linux

dpkg -r splunk

Remove all Splunk files, including configuration files

dpkg -P splunk

Other things you might want to delete

  • If you created any indexes and did not use the Splunk Enterprise default path, you must delete those directories as well.
  • If you created a user or group for running Splunk Enterprise, you should also delete them.

Windows

  • Use the Add or Remove Programs option in the Control Panel. In Windows 8.1 and 10, and Windows Server 2012 R2, 2016, and 2019, that option is available under Programs and Features.
  • (Optional) You can also uninstall Splunk Enterprise from the command line by using the msiexec executable against the Splunk installer package.
    msiexec /x splunk-<version>-x64.msi
    

Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.

Uninstall Splunk Enterprise manually

If you can't use package management commands, use these instructions to uninstall Splunk Enterprise.

  1. Stop Splunk Enterprise.
    $SPLUNK_HOME/bin/splunk stop
    
  2. Find and kill any lingering processes that contain "splunk" in their name.
    For Linux
    kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
    

    For Mac OS

    kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
    
  3. Remove the Splunk Enterprise installation directory, $SPLUNK_HOME.
    For Linux
    rm -rf /opt/splunk
    

    For Mac OS

    rm -rf /Applications/splunk
    

    You can also remove the installation directory by dragging the folder into the Trash.

  4. Remove any Splunk Enterprise datastore or indexes outside the top-level directory, if they exist.
    rm -rf /opt/splunkdata
    
  5. Delete the splunk user and group, if they exist.
    For Linux
    userdel splunk
    groupdel splunk
    

    For Mac OS
    Use the System Preferences > Accounts panel to manage users and groups.

    For Windows
    Open a command prompt and run the command msiexec /x against the msi package that you used to install Splunk Enterprise. If you don't have that package, get the correct version from the download page.

Last modified on 28 April, 2019
Migrate a Splunk Enterprise instance from one physical machine to another   PGP Public Key

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters