Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

user-seed.conf not working in Universal Forwarder

Stem
Engager
‎03-27-2026 11:17 AM

I have installed the UF(.v 10.2.1) on a Windows server using the cli command below. Splunk appears to install successfully and the user.seed.conf is copied to 'C:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf'. However, when I start Splunk the user-seed.conf file doesn't get deleted and any attempts to perform command line configurations result in 'Login Failed' errors. Any insight on what I'm missing/failing to do?

Install Command:
msiexec.exe /i C:\tmp\SplunkUniversalForwarder.msi AGREETOLICENSE=Yes LAUNCHSPLUNK=0 RECEIVING_INDEXER="192.168.10.10:9997" /qn

 

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2026 04:11 PM
Or you have already etc/passwd on place with content.

View solution in original post

Reply
Solved! Jump to solution

kknairr
Contributor
‎03-28-2026 11:44 AM

@Stem Most probably, the user-seed file is not being parsed, likely due to syntax, or permissions. You may review the Splunkd logs to figure out the issue.

Make sure to follow the below syntax for the user-seed.conf file. Any deviation (extra spaces, wrong section header) will cause Splunk to ignore it.

[user_info]
USERNAME = admin
PASSWORD = <yourpassword>

Confirm the Splunk service account has read access to the file. On Windows, run Splunk as Administrator during installation or startup.

Ref: 

user-seed.conf | Platform (last updated 2026-01-13T21:03:58.807Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-27-2026 12:35 PM

Check the splunkd.log but generally that's happening if either splunkd cannot access the file or it has syntax errors.

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2026 04:11 PM
Or you have already etc/passwd on place with content.
Reply
Solved! Jump to solution

Stem
Engager
‎03-30-2026 12:17 PM

This appears to be the resolution to my issue. Installing Splunk .v 10.2.1 with the 'LAUNCHSPLUNK=0 ' parameter still generates a passwd file during installation. Deleting the file before first start allows the user-seed.conf file to be read and deleted. Thanks to all for your help!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...