Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Delete all user accounts on Splunk Enterprise

On Splunk Enterprise only, you can remove all user data on the instance, including user accounts, by using the CLI.

The CLI is not available in Splunk Cloud Platform. There, you can delete accounts using Splunk Web.

Delete all user accounts by typing ./splunk clean CLI command followed by the userdata argument. This deletes all user accounts.

Removing user data is irreversible. If you accidentally delete user data, you must recreate all accounts, including the admin account, manually. Additionally, you must satisfy any password requirements that are in place when you recreate the accounts.

Remove all of the user accounts from the instance

The following command removes all user accounts from the instance. It prompts you before performing the wipe. After you confirm, the instance irrevocably deletes all local user accounts. It does not delete user accounts on external authentication systems.

./splunk clean userdata

Remove the user accounts in the system and skip the confirmation prompt

The following command irrevocably deletes all user accounts on the system and does not prompt you before performing the delete. Use this command carefully as it is impossible to undo the action.

./splunk clean userdata -f

Recreate the default admin account

Splunk Enterprise no longer creates the default admin account on startup after you run ./splunk clean userdata or ./splunk clean all to remove users and data.

To recreate the admin account, follow the procedures at Create administrator credentials with the user-seed.conf configuration file.

Last modified on 02 May, 2024
Find existing users and roles   Secure access for Splunk knowledge objects

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters