This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
This topic discusses how to remove installed components of Splunk if you can't use package management commands.
Note: These will not remove any init scripts that have been created.
1. Stop Splunk.
$SPLUNK_HOME/bin/splunk stop
2. Find and kill any lingering processes that contain "splunk" in its name.
For Linux and Solaris:
kill -9 `ps -ef | grep splunk | grep -v grep | awk '{print $2;}'`
For FreeBSD and Mac OS
kill -9 `ps ax | grep splunk | grep -v grep | awk '{print $1;}'`
3. Remove the Splunk installation directory, $SPLUNK_HOME.
rm -rf /opt/splunk
3. Remove any Splunk datastore or indexes outside the top-level directory, if they exist.
rm -rf /opt/splunkdata
4. Delete the splunk user and group, if they exist.
For Linux, Solaris, and FreeBSD:
userdel splunk groupdel splunk
For Mac OS: You can use the System Preferences > Accounts panel to manage users and groups.