Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I completely delete a user in Splunk ES?

fahimeh
Explorer
‎09-01-2024 03:30 AM

Hello,

As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still see the deleted user in the list. Why is this happening?

Is there a conflict between deleting users in Splunk Enterprise and Splunk ES?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vr2312
Builder
‎09-01-2024 06:38 PM

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-02-2024 12:53 AM

Hi @fahimeh ,

ES hasn't its own authentication method, it uses users from Splunk Enterprise, it only has its own roles.

If you delete an user in Splunk Enterprise its isn't possible for that user access the system, but probably the investigation and action from tha user continue to remain in the system, even if if you search an object created by that user you find an orphaned object.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

vr2312
Builder
‎09-01-2024 06:38 PM

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.
Reply
Solved! Jump to solution

fahimeh
Explorer
‎09-07-2024 02:41 AM

hi @vr2312 

Thank you for your response; it was completely correct.

 
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...