https://github.com/bernardofosu/remove_splunk
https://github.com/bernardofosu/remove_splunk
bash-script bash-scripting linux remove-splunk splunk
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/bernardofosu/remove_splunk
- Owner: bernardofosu
- Created: 2025-02-13T21:53:29.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-02-14T02:38:48.000Z (4 months ago)
- Last Synced: 2025-02-14T03:28:37.731Z (4 months ago)
- Topics: bash-script, bash-scripting, linux, remove-splunk, splunk
- Language: Shell
- Homepage:
- Size: 0 Bytes
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# This Bash script completely removes Splunk from a system, including its installation, user account, and all related files.
## π Installation Instructions:
**1οΈβ£** Open the remove_splunk.sh script file using any text editor.**2οΈβ£** Copy all the script content.
**3οΈβ£** On your server, use a text editor (nano or vi) and paste the script.
**4οΈβ£** Save the file and exit the editor.
## π Grant Execution Permissions:
After creating the script, run the following command to make it executable:
```sh
sudo chmod +x remove_splunk.sh
```### π Run the Uninstall script
```sh
sudo ./remove_splunk.sh
```
##### π Note:
_**./** means you are running the script from the current directory. If you are not in the current directory, use the full path to the script instead__π Using sudo ensures proper permissions for installation!_
_π€ If you're not using the root user, you'll need sudo to perform administrative actions during installation_
## π Whatβs Inside the Installation Script?
πΉ Step-by-Step Breakdown### 1οΈβ£ Stop the Splunk Service
```bash
if [ -f "/opt/splunk/bin/splunk" ]; then
sudo /opt/splunk/bin/splunk stop --answer-yes --accept-license
```
βοΈ If the Splunk binary exists at /opt/splunk/bin/splunk, it stops the Splunk service.βοΈ --answer-yes --accept-license prevents interactive prompts.
βοΈ If Splunk isnβt found, it prints "Splunk service not found or already removed."
### 2οΈβ£ Remove Splunk Installation Directory
```bash
sudo rm -rf /opt/splunk
```
βοΈ Deletes the entire Splunk installation directory (/opt/splunk)βοΈ rm -rf ensures forced deletion without confirmation.
### 3οΈβ£ Stop All Running Processes for the Splunk User
```bash
if id "splunk" &>/dev/null; then
sudo pkill -u splunk || echo "No running processes for Splunk user."
```
βοΈ Checks if the splunk user exists using id "splunk".βοΈ If found, kills all processes owned by splunk using pkill -u splunk.
βοΈ If no processes exist, it prints "No running processes for Splunk user."
### 4οΈβ£ Remove Splunk Userβs Home Directory
```bash
if [ -d "/home/splunk" ]; then
sudo rm -rf /home/splunk
```
βοΈ If /home/splunk exists, it gets deleted.βοΈ If already removed, it prints "Splunk home directory already removed."
### 5οΈβ£ Remove Splunk Group
```bash
if getent group splunk > /dev/null; then
sudo groupdel splunk
```
βοΈ Checks if the splunk group exists.βοΈ If found, deletes it using groupdel splunk.
**&>/dev/null:**
Redirects both stdout (standard output) and stderr (error output) to /dev/null, which hides any output.
This prevents unnecessary messages from being displayed on the terminal.### 6οΈβ£ Remove Splunk User from System Files
```bash
sudo sed -i '/^splunk:/d' /etc/passwd
sudo sed -i '/^splunk:/d' /etc/group
```
βοΈ Uses sed to remove any Splunk-related entries from:
- /etc/passwd (user accounts)
- /etc/group (groups)#### Breakdown:
##### 1οΈβ£ sed (Stream Editor)
sed is used to edit text files by searching, modifying, and deleting lines.##### 2οΈβ£ -i (In-Place Editing)
This flag modifies the file directly instead of outputting the changes to the terminal.##### 3οΈβ£ '/^splunk:/d' (Delete Matching Lines)
/^splunk:/ β Matches any line that starts with "splunk:" (^ means start of line).
"d" β Deletes the matched line.##### 4οΈβ£ /etc/passwd
The system file where user account information is stored.###### Example:
Before (/etc/passwd contains "splunk"):
```bash
splunk:x:1001:1001::/home/splunk:/bin/bash
```### 7οΈβ£ Clean Up Any Remaining Splunk Files
```bash
sudo find /var/log -name "*splunk*" -exec rm -rf {} \;
sudo find /etc -name "*splunk*" -exec rm -rf {} \;
sudo find /opt -name "*splunk*" -exec rm -rf {} \;
```
βοΈ Searches and deletes any leftover Splunk-related files in:
- /var/log (log files)
- /etc (configuration files)
- /opt (other system directories)#### πΉ Explanation of the find Commands
These commands search for and delete all Splunk-related files in the specified directories (/var/log, /etc, /opt).##### Breakdown:
###### 1οΈβ£ find /var/log -name "*splunk*"
- find /var/log β Search inside /var/log.
- -name "*splunk*" β Match files/folders containing "splunk" in their names.
- -exec rm -rf {} \; β Delete each found file/folder recursively.The **\;** is used to terminate the -exec command in a find command.
###### 2οΈβ£ find /etc -name "*splunk*"
- Looks for Splunk-related config files in /etc (where system settings are stored).
- Deletes them permanently.###### 3οΈβ£ find /opt -name "*splunk*"
- Searches for Splunk installation files in /opt (common for third-party apps).
- Deletes all Splunk-related files and directories.###### πΉ How It Works:
The -exec option in the find command allows you to execute a command on each file or directory that matches the search criteria.
- find ... -exec rm -rf {} \;
- -exec β Runs a command on each found file/folder.
- rm -rf {} β Deletes (rm) the found item:
- -r β Recursively (for directories).
- -f β Force delete (without confirmation).
- {} β Represents each found file/folder.
- \; β Ends the -exec command.#### 8οΈβ£ Verify and Confirm Removal
```bash
if id "splunk" &>/dev/null; then
echo "Failed to remove Splunk user. Please check manually."
else
echo "Splunk user removed successfully."
fi
```
βοΈ Checks if the splunk user still exists.βοΈ If deleted, it prints "Splunk user removed successfully."
βοΈ Similar checks are done for /opt/splunk and /home/splunk to confirm complete removal.
#### β Final Outcome
βοΈ Splunk is completely uninstalled from the system.βοΈ No traces of Splunk remain, including logs, users, and configuration files.
βοΈ System is ready for a fresh Splunk installation if needed.
## π Simplifying Splunk Unstallation for the Architect Class
Since we are installing multiple Splunk instances for the architect class, I have designed a Bash script to streamline the process and speed up our work.If you encounter any issues while using it, please let me know. I'm happy to help! π
#### π¬ **Share Your Views!**
Join the discussion on the repository to share feedback and suggestions for improvement.#### π§ **Want to Contribute?**
You can **fork** the repository, modify the script, and send a **pull request** to enhance it! πThank you for your support! π