Splunk Enterprise Security

How does one remove the Enterprise Security Suite?

Communicator

I tried $SPLUNK_HOME$/bin/splunk remove app SplunkEnterpriseSecuritySuite and it tells me "app doesn't exist" -- It does... I'm looking at it. Same thing when I try to uninstall any of the SA or DA apps using the splunk binary.

I'm about to hard rip the directories but I just wanted to check to see if anyone had a more elegant way of doing this.

0 Karma
1 Solution

Motivator

Deleting the apps in the app directories is the way I did it, it worked like a charm and was though it never existed.

View solution in original post

Motivator

Deleting the apps in the app directories is the way I did it, it worked like a charm and was though it never existed.

View solution in original post

Communicator

But after that i have seen that some apps like Deep security and Fortinet stopped collecting the data in real time..

0 Karma

Splunk Employee
Splunk Employee

Hey proletariat99, the change from https to http is expected. The Splunk App for Enterprise Security changes splunkweb from http to https, so upon removal, it would revert back.

Also, if you're antsy about removing apps in the future, you can just move an app to the disabled-apps directory $SPLUNK_HOME/etc/disabled-apps) and restart. That way they're always there if you want to move them back.

Motivator

Did not noticed disabled-apps before. Interesting.

0 Karma

Communicator

Thanks. I just needed one confirmation before I felt okay pulling the trigger.

So I removed all the apps by using the following commands:
$ rm -rf SplunkEnterpriseSecurity*
$ rm -rf SA-*
$ rm -rf DA-ESS*

The only thing to note is that my local splunk (6.0) instance went from using ssl (https://127.0.0.1:8000) to not ssl (http://127.0.0.1:8000).

I thought that was odd, because I didn't change anything else.