Splunk Search

How can I completely delete a user in Splunk ES?

fahimeh
Explorer

Hello,

As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening?

Is there a conflict between deleting users in Splunk Enterprise and Splunk ES?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

vr2312
Builder

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @fahimeh ,

ES hasn't its own authentication method, it uses users from Splunk Enterprise, it only has its own roles.

If you delete an user in Splunk Enterprise its isn't possible for that user access the system, but probably the investigation and action from tha user continue to remain in the system, even if if you search an object created by that user you find an orphaned object.

Ciao.

Giuseppe

0 Karma

vr2312
Builder

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.

fahimeh
Explorer

hi @vr2312 

Thank you for your response; it was completely correct.

 
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...