Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:
PASSWORD = NEW_PASSWORD
In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.
Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.
mv /opt/splunk/etc/passwd /opt/splunk/etc/passwd.bak
mv: cannot move '/opt/splunk/etc/passwd' to '/opt/splunk/etc/passwd.bak': Permission denied
Why I am getting this error?
Swati, You should try with root, splunk user doesn't have root permissions else add splunk user as NOPASSWD in sudoers file with root user as below and try again
vi /etc/sudoers ( with root user)
XXX ALL=(ALL) NOPASSWD:ALL here XXX is user name.
hope it should work 🙂
I have installed splunk in my Linux Ubuntu system. I have forgot the admin password and now I am trying to retrieve it but I am not able to find the passwd file under /splunk/etc directory
Please help me on this.
!- This is for Windows 7 -!
Stop splunk service using the command
c:\Program Files\Splunk\bin> splunk stop
Reset the admin password using the command as below
c:\Program Files\Splunk\bin>splunk edit user admin -password newPassword -role admin -auth admin:changeme
Start the splunk service
c:\Program Files\Splunk\bin> splunk start
Open URL https://localhost:8000 and user the credentials as admin/newPassword
Hi, This question has been asked several times because the answer is bit confusing. It says moving passwd file to passwd.bak. What does this mean??
I can find passwd file but what is this passdw.bak? and where to find it, must be a folder where this file will be moved? Or do we have to just change the fle extension?
Please help, Thanks.
This is an old answer and only works prior to V7.1. For all other versions read cbreshears_splunk Answer
Yes. Just rename it with a .bak extension, restart and use the default password of "changeme"
To reset the admin password you will need to have access to the file system:
- move the
$SPLUNK_HOME/etc/passwd file to
- restart splunk. After the restart you should be able to login using the default login (
If you created other user accounts, copy those entries from the backup file into the new passwd file and restart splunk.
Hey, I tried this but it does not seem to work. It says wrong password upon entering 'changeme'. By 'moving' passwd to passwd.bak do you mean renaming it? (I'm using Windows OS, not using any command shell). Please help.
If you are installing a splunk server (search, index, deploy) likely the splunk client software is running and using the same port. You need to remove the the following file:
dpkg -l splunkforwarder (list the package)
dpkg -r splunkforwarder (remove the package)
Try login after, it should take admin/changeme.