In many Splunk official Documentation we read sometimes, to "wipe" an instance, to launch the command
splunk clean all
OK. But, doing so, we reset also the passwd file, so from now on we have no more access to Splunk instance, unless we did previously a backup restoring it after the "clean all" did its job. So, considering this aspect, this type of documentation seems very dangerous to me, without specifying this case.
An example: i need to remove completely an instance from a SH Cluster
1) i follow the "clean all" Documentation, and i come in the case of an unuseful intsance
2) i follow, by myself, a "clean kvstore --cluster" or "clean kvstore --all", and the instance was there still running and operative, without the cluster db data registered
So, do a "splunk clean all" should make by itself a backup of auth data for logging into the instance or reassign the original "changeme"?
I would not want to see Splunk commands automatically produce a backup of anything. If a backup is needed then it should be up the admin to do so. I think it's a good idea, however, for the documentation about the clean all command to warn admins that they will lose access to Splunk once the command completes. Submit feedback on the docs page to suggest it.
I can agree with the automatic backup.
But, IMHO, it's a big trouble for a normal user to loose completely access to his instance, without an explicit WARNING (which asks to backup his passwd!!! And that after that his instance will be without admin control!!!).
IMO 😕