Uninstall ITE Work

CAUTION: These steps permanently delete all data associated with your Splunk IT Essentials Work (ITE Work) deployment, such as configuration and kvstore data. Don't perform these steps unless you're certain you want to permanently delete your ITE Work deployment. If you're uncertain how to proceed, create a full backup of ITE Work or contact Splunk Support for guidance.

To uninstall ITE Work on an on-premises instance, complete these tasks. Splunk Cloud Platform customers have to work with Support to uninstall ITE Work. To file a ticket on the Splunk Support Portal, see Support and Services.

  1. Remove all Splunk apps installed with ITE Work.
  2. Remove all ITE Work indexes.
  3. Clean the kvstore.
  4. Delete scheduled backups.

ITE Work doesn't provide an automatic way to clean up the contents for a distributed deployment. To clean up a distributed deployment you have to perform these steps on individual search heads and indexers.

Once you uninstall ITE Work, you can perform a clean reinstallation. See Install ITE Work on a single instalnce in this manual.

Remove all Splunk apps installed with ITE Work

Remove all Splunk apps and add-ons installed with the current or previous versions of ITE Work.

CAUTION: Don't remove SA-ThreatIntelligence, SA-Ticketing, SA-Utils, or Splunk_SA_CIM if they're used by another app, such as Splunk Enterprise Security or Splunk App for VMware. If you remove them, any dependent apps won't function as expected.

Remove apps from standalone or non-clustered distributed environments

  1. Stop your Splunk platform. 
    $SPLUNK_HOME/bin/splunk stop
  2. On all search heads and indexers where ITE Work or dependent apps and add-ons are installed, delete all items installed by the ITE Work installation package. For example: 
    cd $SPLUNK_HOME/etc/apps
rm ­-rf DA-ITSI-* SA-IT* SA-IndexCreation SA-UserAccess itsi

For a complete listing of apps and add-ons installed by the ITE Work installation package, see About the ITE Work installation package in this manual.

Remove apps from clusters

To delete an app from a search head cluster, you have to remove it from the configuration bundle on the deployer. The next time you push the bundle, each cluster member deletes the app from its own file system. For more information, see Where to place the configuration bundle on the deployer in the Splunk Enterprise Distributed Search manual.

To delete an app from an indexer cluster, you have to remove it from the deployment location on the cluster master. For more information, see Update common peer configurations and apps in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Remove all ITE Work indexes

Remove the following ITE Work-specific indexes that SA-IndexCreation places in $SPLUNK_HOME/var/lib/splunk.

CAUTION: Don't remove any indexes that are currently in use by Splunk Enterprise Security or other Splunk apps, including notable and risk indexes.
  • anomaly_detection
  • itsi_grouped_alerts
  • itsi_im_meta
  • itsi_im_metrics
  • itsi_import_objects
  • itsi_notable_archive
  • itsi_notable_audit
  • itsi_summary
  • itsi_summary_metrics
  • itsi_tracked_alerts
  • snmptrapd

For example: 

cd $SPLUNK_HOME/var/lib/splunk
rm -rf itsi_* anomaly_detection snmptrapd

Clean the kvstore

Clean the kvstore for the SA-ITOA app to ensure complete removal of ITE Work. This ensures that a future re-installation of ITE Work is a completely fresh install with no remnants of the previous installations.

To clean the kvstore, Splunk has to be running. Start your Splunk deployment, for example: 

$SPLUNK_HOME/bin/splunk start

To clean the kvstore for the SAI-ITOA app run this command: 

$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA

Delete scheduled backups

Scheduled backups of ITE Work are stored in the $SPLUNK_HOME/var/itsi folder.

To remove the folder, run the following command on all search heads: 

rm -rf $SPLUNK_HOME/var/itsi