Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does Splunk "Clean All" make itself a backup of auth data for logging into the instance?

verbal_666
Contributor
‎10-08-2022 10:59 PM

In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command

 

splunk clean all

 

OK. But, doing so, we reset also the passwd file, so from now on we have no more access to Splunk instance, unless we did previously a backup restoring it after the "clean all" did its job. So, considering this aspect, this type of documentation seems very dangerous to me, without specifying this case.

An example: i need to remove completely an instance from a SH Cluster
1) i follow the "clean all" Documentation, and i come in the case of an unuseful intsance
2) i follow, by myself, a "clean kvstore --cluster" or "clean kvstore --all", and the instance was there still running and operative, without the cluster db data registered

So, do a "splunk clean all" should make by itself a backup of auth data for logging into the instance or reassign the original "changeme"?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-09-2022 05:21 PM

I would not want to see Splunk commands automatically produce a backup of anything.  If a backup is needed then it should be up the admin to do so.  I think it's a good idea, however, for the documentation about the clean all command to warn admins that they will lose access to Splunk once the command completes.  Submit feedback on the docs page to suggest it.

---
If this reply helps you, Karma would be appreciated.
Reply

verbal_666
Contributor
‎10-11-2022 04:48 AM

I can agree with the automatic backup.

But, IMHO, it's a big trouble for a normal user to loose completely access to his instance, without an explicit  WARNING (which asks to backup his passwd!!! And that after that his instance will be without admin control!!!).

IMO 😕

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...