- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Users still showing after being deleted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist.
Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I simply needed to restart each instance after I deleted the users on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem as you
how did you solve it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I simply needed to restart each instance after I deleted the users on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you using for authentication? If you are using external authentication source (like LDAP or SAML) your users will get re-created as soon as they authenticate using that source.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just using the local Splunk authentication (username and password), nothing external.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another thing that comes to mind - local file permissions? (splunk process unable to alter the passwd file)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Permissions seem to be fine, and the deleted users do not show up in the passwd file.
However, the users still show up in the GUI and when I run
list user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @wpb162
It could be that the removal of the users has not propagated to all members of the SHC yet. How many members are in your SHC? How long did you leave it after running the "splunk remove user" command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 members in the cluster, has not updated since I made the change yesterday, even on the instance I made the change on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Removing users is a standard splunk admin task, so this is odd!.
If you look at your config, what does this state?
If you run the btool command and check your authentication config?
/opt/splunk/bin/splunk cmd btool authentication list --debug
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
