Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

user-seed.conf not working in Universal Forwarder

Stem
Engager
‎03-27-2026 11:17 AM

I have installed the UF(.v 10.2.1) on a Windows server using the cli command below. Splunk appears to install successfully and the user.seed.conf is copied to 'C:\Program Files\SplunkUniversalForwarder\etc\system\local\user-seed.conf'. However, when I start Splunk the user-seed.conf file doesn't get deleted and any attempts to perform command line configurations result in 'Login Failed' errors. Any insight on what I'm missing/failing to do?

Install Command:
msiexec.exe /i C:\tmp\SplunkUniversalForwarder.msi AGREETOLICENSE=Yes LAUNCHSPLUNK=0 RECEIVING_INDEXER="192.168.10.10:9997" /qn

 

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2026 04:11 PM
Or you have already etc/passwd on place with content.

View solution in original post

Reply
Solved! Jump to solution

kknairr
Communicator
‎03-28-2026 11:44 AM

@Stem Most probably, the user-seed file is not being parsed, likely due to syntax, or permissions. You may review the Splunkd logs to figure out the issue.

Make sure to follow the below syntax for the user-seed.conf file. Any deviation (extra spaces, wrong section header) will cause Splunk to ignore it.

[user_info]
USERNAME = admin
PASSWORD = <yourpassword>

Confirm the Splunk service account has read access to the file. On Windows, run Splunk as Administrator during installation or startup.

Ref: 

user-seed.conf | Platform (last updated 2026-01-13T21:03:58.807Z)

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-27-2026 12:35 PM

Check the splunkd.log but generally that's happening if either splunkd cannot access the file or it has syntax errors.

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2026 04:11 PM
Or you have already etc/passwd on place with content.
Reply
Solved! Jump to solution

Stem
Engager
‎03-30-2026 12:17 PM

This appears to be the resolution to my issue. Installing Splunk .v 10.2.1 with the 'LAUNCHSPLUNK=0 ' parameter still generates a passwd file during installation. Deleting the file before first start allows the user-seed.conf file to be read and deleted. Thanks to all for your help!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...