Removing users from a Search Head

sgarvin55 · ‎01-04-2012

I was looking for the proper way to remove a user(s) from a Search Head. I know that just deleting the directory is not sufficient and may cause errors when you restart Splunk. Especially, if the user had saved or scheduled searches.

Here's a typical error being reported after a user was moved to user.OLD.

ERROR: pid 6750542 terminated with signal 6
Validating databases (splunkd validatedb) failed with code '-1'.

When the user.old was moved back to "user", the error disappeared.

rafamss · ‎10-14-2015

Hi sgarvin55,

I did the follow and this solved my problem.

./splunk remove user [nameuser] -auth user:pass

For improve this, I put a little trick, inserting a "|" after each command. With this, I can delete all users that needs upon a time.

./splunk remove user [user1] |
./splunk remove user [user2] |

All this commands was executed in CLI.

sgarvin55 · ‎01-05-2012

By using the ./splunk remove user username command as you suggested will only remove the user account to login to the GUI. If you go to $SPLUNK_HOME/etc/users the accounts directory still exists.
What I found out is that LDAP is part of the equation and why it was getting a database error. The user will have to be removed from Active Directory first. Then move the users directory to .BAK. Splunk is trying to authenticate the user against LDAP and the directory didn't exist.

rroberts · ‎01-05-2012

Why not just use the CLI:

splunk remove user

See:

splunk help remove
Also check out:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Admin/Setupbuilt-inauthentication

Removing users from a Search Head

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases