Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Delete all user accounts on Splunk Enterprise

On Splunk Enterprise only, you can remove all user data on the instance, including user accounts, by using the CLI.

The CLI is not available in Splunk Cloud, instead, you can delete accounts using Splunk Web.

Delete all user accounts by typing ./splunk clean CLI command followed by the userdata argument. This deletes all user accounts.

Removing user data is irreversible. If you accidentally delete user data, you must recreate all accounts, including the admin account, manually. Additionally, you must satisfy any password requirements that are in place when you recreate the accounts.

Remove all of the user accounts in the system

./splunk clean userdata

Remove the user accounts in the system and skip the confirmation prompt

./splunk clean userdata -f

Recreate the default admin account

In Splunk Enterprise 7.1.0 and higher, the default admin account is no longer automatically recreated on startup after running ./splunk clean userdata or ./splunk clean all.

To recreate the admin account, you can create a $SPLUNK_HOME/etc/system/local/user-seed.conf file with the following information before you restart the Splunk Enterprise instance.

USERNAME = admin
PASSWORD = <your new password> 
Last modified on 14 December, 2021
Find existing users and roles
Secure access for Splunk knowledge objects

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 9.0.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters