Uninstall Splunk Enterprise
Learn how to remove Splunk Enterprise from a host by following the procedures in this topic.
Prerequisites
- If you configured Splunk Enterprise to start on boot, remove it from your boot scripts before you uninstall.
./splunk disable boot-start
- Stop Splunk Enterprise. Navigate to
$SPLUNK_HOME/bin
and type./splunk stop
(or justsplunk stop
on Windows).
Uninstall Splunk Enterprise with your package management utilities
If you used local package management tools to install Splunk Enterprise, use those same tools to uninstall Splunk Enterprise. In most cases, files that were not originally installed by the package are retained. These files include your configuration and index files which are locate in the Splunk Enterprise installation directory.
In these instructions, $SPLUNK_HOME
refers to the Splunk installation directory. On Windows, this is C:\Program Files\Splunk
by default. For most Unix platforms, the default installation directory is /opt/splunk
. On Mac OS X, it is /Applications/splunk
.
RedHat Linux
rpm -e splunk_product_name
Debian Linux
dpkg -r splunk
Remove all Splunk files, including configuration files
dpkg -P splunk
Other things you might want to delete
- If you created any indexes and did not use the Splunk Enterprise default path, you must delete those directories as well.
- If you created a user or group for running Splunk Enterprise, you should also delete them.
Windows
- Use the Add or Remove Programs option in the Control Panel. In Windows 8.1 and 10, and Windows Server 2012 R2, 2016, and 2019, that option is available under Programs and Features.
- (Optional) You can also uninstall Splunk Enterprise from the command line by using the
msiexec
executable against the Splunk installer package.
msiexec /x splunk-<version>-x64.msi
Under some circumstances, the Microsoft installer might present a reboot prompt during the uninstall process. You can safely ignore this request without rebooting.
Uninstall Splunk Enterprise manually
If you can't use package management commands, use these instructions to uninstall Splunk Enterprise.
- Stop Splunk Enterprise.
$SPLUNK_HOME/bin/splunk stop
- Find and
kill
any lingering processes that contain "splunk" in their name.
For Linux
kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
For Mac OS
kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
- Remove the Splunk Enterprise installation directory,
$SPLUNK_HOME
.
For Linux
rm -rf /opt/splunk
For Mac OS
rm -rf /Applications/splunk
You can also remove the installation directory by dragging the folder into the Trash.
- Remove any Splunk Enterprise datastore or indexes outside the top-level directory, if they exist.
rm -rf /opt/splunkdata
- Delete the
splunk
user and group, if they exist.
For Linuxuserdel splunk groupdel splunk
For Mac OS
Use the System Preferences > Accounts panel to manage users and groups.
For Windows
Open a command prompt and run the commandmsiexec /x
against the msi package that you used to install Splunk Enterprise. If you don't have that package, get the correct version from the download page.
Migrate a Splunk Enterprise instance from one physical machine to another | PGP Public Key |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!