Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Users still showing after being deleted

wpb162
Explorer
‎06-03-2024 09:47 AM

I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist.

Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpb162
Explorer
‎09-05-2024 12:26 PM

I believe I simply needed to restart each instance after I deleted the users on it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

fahimeh
Explorer
‎09-01-2024 05:56 AM

I have the same problem as you
how did you solve it

0 Karma
Reply
Solved! Jump to solution
Solution

wpb162
Explorer
‎09-05-2024 12:26 PM

I believe I simply needed to restart each instance after I deleted the users on it.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-04-2024 12:55 AM

What are you using for authentication? If you are using external authentication source (like LDAP or SAML) your users will get re-created as soon as they authenticate using that source.

0 Karma
Reply
Solved! Jump to solution

wpb162
Explorer
‎06-04-2024 06:16 AM

Just using the local Splunk authentication (username and password), nothing external.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-04-2024 09:45 AM

Another thing that comes to mind - local file permissions? (splunk process unable to alter the passwd file)

0 Karma
Reply
Solved! Jump to solution

wpb162
Explorer
‎06-04-2024 11:58 AM

Permissions seem to be fine, and the deleted users do not show up in the passwd file. 

However, the users still show up in the GUI and when I run 

list user
0 Karma
Reply
Solved! Jump to solution

KendallW
Contributor
‎06-03-2024 06:22 PM

Hi @wpb162 
It could be that the removal of the users has not propagated to all members of the SHC yet. How many members are in your SHC? How long did you leave it after running the "splunk remove user" command?

0 Karma
Reply
Solved! Jump to solution

wpb162
Explorer
‎06-04-2024 06:17 AM

3 members in the cluster, has not updated since I made the change yesterday, even on the instance I made the change on.

0 Karma
Reply
Solved! Jump to solution

deepakc
Builder
‎06-04-2024 09:38 AM

Removing users is a standard splunk admin task, so this is odd!.

If you look at your config, what does this state? 

If you run the btool command and check your authentication config? 

 

/opt/splunk/bin/splunk cmd btool authentication list --debug

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...