Uninstall Splunk IT Service Intelligence

CAUTION: These steps permanently delete all data associated with your IT Service Intelligence (ITSI) deployment, such as configuration and kvstore data. Do not perform these steps unless you're certain you want to permanently delete your ITSI deployment. If you're uncertain how to proceed, create a full backup of ITSI or contact Splunk Support for guidance.

Once you uninstall ITSI, you can perform a clean reinstallation. See Install Splunk IT Service Intelligence in this manual.

ITSI doesn't provide an automatic way to clean up the contents for a distributed deployment. To clean a distributed deployment you must perform these steps on individual search heads and indexers.

Step 1: Remove all Splunk apps installed with ITSI

Remove all Splunk apps and add-ons installed with the current or previous versions of ITSI.

Note: Don't remove SA-ThreatIntelligence, SA-Ticketing, SA-Utils, or Splunk_SA_CIM if they're used by another app, such as Splunk Enterprise Security or Splunk App for VMware. If you remove them, any dependent apps won't function as expected.

Remove apps from standalone or non-clustered distributed environments

  1. Stop your Splunk platform deployment. 
    $SPLUNK_HOME/bin/splunk stop
  2. On all search heads and indexers where ITSI or dependent apps and add-ons are installed, delete all items installed by the ITSI installation package. For example: 
    cd $SPLUNK_HOME/etc/apps
rm ­-rf DA-ITSI-* SA-IT* SA-IndexCreation SA-UserAccess itsi
  3. Start your Splunk platform deployment.
  4. Remove any ITSI modules that have been installed independently from ITSI.

For a complete listing of apps and add-ons installed by the ITSI installation package, see About the ITSI installation package in this manual.

Remove apps from clusters

To delete an app from a search head cluster, you must remove it from the configuration bundle on the deployer. The next time you push the bundle, each cluster member deletes the app from its own file system. For more information, see Where to place the configuration bundle on the deployer in the Splunk Enterprise Distributed Search manual.

To delete an app from an indexer cluster, you must remove it from the deployment location on the cluster master. For more information, see Update common peer configurations and apps in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Step 2: Remove all ITSI indexes

Remove the following ITSI-specific indexes that SA-IndexCreation places in $SPLUNK_HOME/var/lib/splunk.

CAUTION: Do not remove any indexes that are currently in use by Splunk Enterprise Security or other Splunk apps, including notable and risk indexes.
  • anomaly_detection
  • itsi_grouped_alerts
  • itsi_im_meta
  • itsi_im_metrics
  • itsi_import_objects
  • itsi_notable_archive
  • itsi_notable_audit
  • itsi_summary
  • itsi_summary_metrics
  • itsi_tracked_alerts
  • snmptrapd

For example: 

cd $SPLUNK_HOME/var/lib/splunk
rm -rf itsi_* anomaly_detection

Step 3: Clean the kvstore

Clean the kvstore for the SA-ITOA app to ensure complete removal of ITSI. This ensures that a future re-installation of ITSI is a completely fresh install with no remnants of the previous installations.

To clean the kvstore, Splunk has to be running. Start your Splunk deployment, for example: 

$SPLUNK_HOME/bin/splunk start

To clean the kvstore for the SAI-ITOA app run this command: 

$SPLUNK_HOME/bin/splunk clean kvstore -app SA-ITOA

Step 4: Delete scheduled backups

Scheduled backups of ITSI are stored in the $SPLUNK_HOME/var/itsi folder.

To remove the folder, run the following command on all search heads: 

rm -rf $SPLUNK_HOME/var/itsi