An open API service indexing awesome lists of open source software.

https://github.com/bernardofosu/remove_splunk


https://github.com/bernardofosu/remove_splunk

bash-script bash-scripting linux remove-splunk splunk

Last synced: about 1 month ago
JSON representation

Awesome Lists containing this project

README

        

# This Bash script completely removes Splunk from a system, including its installation, user account, and all related files.

## πŸ›  Installation Instructions:
**1️⃣** Open the remove_splunk.sh script file using any text editor.

**2️⃣** Copy all the script content.

**3️⃣** On your server, use a text editor (nano or vi) and paste the script.

**4️⃣** Save the file and exit the editor.

## πŸ” Grant Execution Permissions:
After creating the script, run the following command to make it executable:
```sh
sudo chmod +x remove_splunk.sh
```

### πŸš€ Run the Uninstall script
```sh
sudo ./remove_splunk.sh
```
##### πŸ“Œ Note:
_**./** means you are running the script from the current directory. If you are not in the current directory, use the full path to the script instead_

_πŸ”‘ Using sudo ensures proper permissions for installation!_

_πŸ‘€ If you're not using the root user, you'll need sudo to perform administrative actions during installation_

## πŸ“œ What’s Inside the Installation Script?
πŸ”Ή Step-by-Step Breakdown

### 1️⃣ Stop the Splunk Service
```bash
if [ -f "/opt/splunk/bin/splunk" ]; then
sudo /opt/splunk/bin/splunk stop --answer-yes --accept-license
```
βœ”οΈ If the Splunk binary exists at /opt/splunk/bin/splunk, it stops the Splunk service.

βœ”οΈ --answer-yes --accept-license prevents interactive prompts.

βœ”οΈ If Splunk isn’t found, it prints "Splunk service not found or already removed."

### 2️⃣ Remove Splunk Installation Directory
```bash
sudo rm -rf /opt/splunk
```
βœ”οΈ Deletes the entire Splunk installation directory (/opt/splunk)

βœ”οΈ rm -rf ensures forced deletion without confirmation.

### 3️⃣ Stop All Running Processes for the Splunk User
```bash
if id "splunk" &>/dev/null; then
sudo pkill -u splunk || echo "No running processes for Splunk user."
```
βœ”οΈ Checks if the splunk user exists using id "splunk".

βœ”οΈ If found, kills all processes owned by splunk using pkill -u splunk.

βœ”οΈ If no processes exist, it prints "No running processes for Splunk user."

### 4️⃣ Remove Splunk User’s Home Directory
```bash
if [ -d "/home/splunk" ]; then
sudo rm -rf /home/splunk
```
βœ”οΈ If /home/splunk exists, it gets deleted.

βœ”οΈ If already removed, it prints "Splunk home directory already removed."

### 5️⃣ Remove Splunk Group
```bash
if getent group splunk > /dev/null; then
sudo groupdel splunk
```
βœ”οΈ Checks if the splunk group exists.

βœ”οΈ If found, deletes it using groupdel splunk.

**&>/dev/null:**

Redirects both stdout (standard output) and stderr (error output) to /dev/null, which hides any output.
This prevents unnecessary messages from being displayed on the terminal.

### 6️⃣ Remove Splunk User from System Files
```bash
sudo sed -i '/^splunk:/d' /etc/passwd
sudo sed -i '/^splunk:/d' /etc/group
```
βœ”οΈ Uses sed to remove any Splunk-related entries from:
- /etc/passwd (user accounts)
- /etc/group (groups)

#### Breakdown:
##### 1️⃣ sed (Stream Editor)
sed is used to edit text files by searching, modifying, and deleting lines.

##### 2️⃣ -i (In-Place Editing)
This flag modifies the file directly instead of outputting the changes to the terminal.

##### 3️⃣ '/^splunk:/d' (Delete Matching Lines)
/^splunk:/ β†’ Matches any line that starts with "splunk:" (^ means start of line).
"d" β†’ Deletes the matched line.

##### 4️⃣ /etc/passwd
The system file where user account information is stored.

###### Example:
Before (/etc/passwd contains "splunk"):
```bash
splunk:x:1001:1001::/home/splunk:/bin/bash
```

### 7️⃣ Clean Up Any Remaining Splunk Files
```bash
sudo find /var/log -name "*splunk*" -exec rm -rf {} \;
sudo find /etc -name "*splunk*" -exec rm -rf {} \;
sudo find /opt -name "*splunk*" -exec rm -rf {} \;
```
βœ”οΈ Searches and deletes any leftover Splunk-related files in:
- /var/log (log files)
- /etc (configuration files)
- /opt (other system directories)

#### πŸ”Ή Explanation of the find Commands
These commands search for and delete all Splunk-related files in the specified directories (/var/log, /etc, /opt).

##### Breakdown:
###### 1️⃣ find /var/log -name "*splunk*"
- find /var/log β†’ Search inside /var/log.
- -name "*splunk*" β†’ Match files/folders containing "splunk" in their names.
- -exec rm -rf {} \; β†’ Delete each found file/folder recursively.

The **\;** is used to terminate the -exec command in a find command.

###### 2️⃣ find /etc -name "*splunk*"
- Looks for Splunk-related config files in /etc (where system settings are stored).
- Deletes them permanently.

###### 3️⃣ find /opt -name "*splunk*"
- Searches for Splunk installation files in /opt (common for third-party apps).
- Deletes all Splunk-related files and directories.

###### πŸ”Ή How It Works:
The -exec option in the find command allows you to execute a command on each file or directory that matches the search criteria.
- find ... -exec rm -rf {} \;
- -exec β†’ Runs a command on each found file/folder.
- rm -rf {} β†’ Deletes (rm) the found item:
- -r β†’ Recursively (for directories).
- -f β†’ Force delete (without confirmation).
- {} β†’ Represents each found file/folder.
- \; β†’ Ends the -exec command.

#### 8️⃣ Verify and Confirm Removal
```bash
if id "splunk" &>/dev/null; then
echo "Failed to remove Splunk user. Please check manually."
else
echo "Splunk user removed successfully."
fi
```
βœ”οΈ Checks if the splunk user still exists.

βœ”οΈ If deleted, it prints "Splunk user removed successfully."

βœ”οΈ Similar checks are done for /opt/splunk and /home/splunk to confirm complete removal.

#### βœ… Final Outcome
βœ”οΈ Splunk is completely uninstalled from the system.

βœ”οΈ No traces of Splunk remain, including logs, users, and configuration files.

βœ”οΈ System is ready for a fresh Splunk installation if needed.

## πŸš€ Simplifying Splunk Unstallation for the Architect Class
Since we are installing multiple Splunk instances for the architect class, I have designed a Bash script to streamline the process and speed up our work.

If you encounter any issues while using it, please let me know. I'm happy to help! 😊

#### πŸ’¬ **Share Your Views!**
Join the discussion on the repository to share feedback and suggestions for improvement.

#### πŸ”§ **Want to Contribute?**
You can **fork** the repository, modify the script, and send a **pull request** to enhance it! πŸš€

Thank you for your support! πŸ™Œ