Delete all user accounts on Splunk Enterprise
On Splunk Enterprise only, you can remove all user data on the instance, including user accounts, by using the CLI.
The CLI is not available in Splunk Cloud, instead, you can delete accounts using Splunk Web.
Delete all user accounts by typing
./splunk clean CLI command followed by the
userdata argument. This deletes all user accounts.
Removing user data is irreversible. If you accidentally delete user data, you must recreate all accounts, including the admin account, manually. Additionally, you must satisfy any password requirements that are in place when you recreate the accounts.
Remove all of the user accounts in the system
./splunk clean userdata
Remove the user accounts in the system and skip the confirmation prompt
./splunk clean userdata -f
Recreate the default admin account
In Splunk Enterprise 7.1.0 and higher, the default admin account is no longer automatically recreated on startup after running
./splunk clean userdata or
./splunk clean all.
To recreate the admin account, you can create a
$SPLUNK_HOME/etc/system/local/user-seed.conf file with the following information before you restart the Splunk Enterprise instance.
[user_info] USERNAME = admin PASSWORD = <your new password>
Find existing users and roles
Secure access for Splunk knowledge objects
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107, 8.1.2103