Recently I have encountered an issue while rebuilding data on one of our indexers. During this process I needed to execute the following command:
/opt/splunk/bin/splunk _internal call /data/indexes/main/rebuild-metadata-and manifests
However upon running, I was prompted for Splunk Username and Password. Typically we used the credentials created at Web GUI. But since the usually the indexers Web GUI is set to false most of the time, so there is no GUI username and password available on them. I tried using my Search Head Username and Password, followed by the OS Username and Password, but neither worked.
After some research, I discovered that every Splunk instance includes a default admin user created during installation:
Username: admin
Password: changeme
but it doesn't work for me.
Here is the procedure that finally worked for me, so to reset the password for the admin user
- Access the indexers cli, here the passwd file exist in: /opt/splunk/etc/
- Rename that file to passwd.bak
- Create a new file with the name: user-seed.conf, in location: /opt/splunk/etc/system/local/
In this file use the below configuration:
[user_info]
USERNAME = admin
PASSWORD = <password of your choice>
- Restart the Splunk service on that indexer using
/opt/splunk/bin/splunk restart
- This will generate a new passwd file. You can now use the admin user with the password you set in step 3.
After the resting the password, I've used the initial command, using the updated admin credentials and it worked.
