I was looking for the proper way to remove a user(s) from a Search Head. I know that just deleting the directory is not sufficient and may cause errors when you restart Splunk. Especially, if the user had saved or scheduled searches.
Here's a typical error being reported after a user was moved to user.OLD.
ERROR: pid 6750542 terminated with signal 6
Validating databases (splunkd validatedb) failed with code '-1'.
When the user.old was moved back to "user", the error disappeared.
Hi sgarvin55,
I did the follow and this solved my problem.
./splunk remove user [nameuser] -auth user:pass
For improve this, I put a little trick, inserting a "|" after each command. With this, I can delete all users that needs upon a time.
./splunk remove user [user1] |
./splunk remove user [user2] |
All this commands was executed in CLI.
By using the ./splunk remove user username command as you suggested will only remove the user account to login to the GUI. If you go to $SPLUNK_HOME/etc/users the accounts directory still exists.
What I found out is that LDAP is part of the equation and why it was getting a database error. The user will have to be removed from Active Directory first. Then move the users directory to .BAK. Splunk is trying to authenticate the user against LDAP and the directory didn't exist.
Why not just use the CLI:
splunk remove user
See:
splunk help remove
Also check out:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Admin/Setupbuilt-inauthentication