Splunk UBA updates HR data daily. Because HR data is used to assign users and IDs to events processed from all other data sources, you cannot make changes to HR data once you start adding data sources.

If you need to modify your HR data configuration after you have ingested events from other data sources, you must take the following steps:

1. Remove all metadata from Splunk UBA. Run the following command:

   /opt/caspida/bin/CaspidaCleanup dblite

   This command removes all threats, anomalies, user, and asset data, but does not remove the data sources, rules, or output connectors.
2. Ingest and verify your HR data again. See, Get HR data into Splunk UBA.
3. Ingest events from your data sources again.