I just realized that I lost the Admin password and I need a way to access the system, with my Admin credentials.
Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:
[user_info]
PASSWORD = NEW_PASSWORD
In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.
Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.
small note to add, since v9.x the password complexity is enforced in the user-seed.conf file as well. So be sure the new password is at least 8ch long or whatever your complexity requirements are. If the new etc/passwd file is not created, then check splunkd.log file for the failure reason.
We can reset both username(admin) and password to whatever we want.
In the same etc folder, navigate to /System/local folder and create a file user-seed.conf. This configuration should have the latest password.
[user_info]
USERNAME = admin
PASSWORD = changeme (you can enter whatever you want)
restart the splunk. Now you will see a new passwd file will be created with admin as username and encrypted password.
At this stage you should be able to login to Splunk with UserName as admin and Password as changme
Rename the default username:
-> we can go to etc folder and open passwd file and there we can rename the admin to whatever name we want.
You can refer to below video for the instructions.
just used this in march2023 and can confirm it works in splunk 9.x
cheers
Thanks for the updated answer @preactivity 🙂 as most of the older answers are no longer valid on the newer Splunk releases.
Rob
For CentOS 6.x with splunk forwarder version 7.2.1 I use the following commands to update the passwords of splunk users.
service splunk stop
/path/to/splunkforwarder/bin/splunk edit user <username> -password <new_password>
service splunk start
, service splunk stop
/path/to/splunkforwarder/bin/splunk edit user
service splunk start
Thanks "amielke ". , I had a same problem like chippysplunk.
finally , i changed my password in user.seed.conf file as below :
[user_info]
USERNAME = admin
PASSWORD = myPassword
And then on reboot, admin
gets recreated with the new password?
Hi,
the solution with user-seed.conf was helpful.
I create the config-file in the folder $Splunk_HOME$/etc/system/local, like this:
[user_info]
USERNAME = admin
PASSWORD = myPassword
After a restart, the login was successful with this credintials.
it worked!...
for 7.1
Hi,
I've read the steps, but unfortunately I don't want it that way. I renamed the passwd file, rebooted the system. I still can't login with admin and changeme. Splunk does not create a new passwd file for me either. There is also no standard initial login screen with admin and changeme.
Anybody have an idea?
amielke, are you using 7.1? If so, read the accepted answer. You will need to set the password in the user-seed.conf file.
Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passwd) and rename it to passwd.bk
Create a file named user-seed.conf in your $SPLUNK_HOME/etc/system/local/ directory.
In the file add the following text:
[user_info]
PASSWORD = NEW_PASSWORD
In the place of "NEW_PASSWORD" insert the password you would like to use.
Start Splunk Enterprise and use the new password to log into your instance from Splunk Web.
If you previously created other users and know their login details, copy and paste their credentials from the passwbk file into the passwd file and restart Splunk.
Stop Splunk Enterprise
Find the passw file for your instance ($SPLUNK_HOME/etc/passw) and rename it to passw.bk
Start Splunk Enterprise and login to your instance from Splunk Web using the default credentials of admin/changeme.
You will be asked to enter a new password for your admin account.
If you previously created other users and know their login details, copy and paste their credentials from the passw.bk file into the passwd file and restart Splunk.
Here is a more complete process from Splunk
https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/Secureyouradminaccount
Thanks! This was exactly what I needed!
@cbreshears_splunk - How about search head cluster?
You will want to do this on your deployer to sync across your deployment:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Resetapasswordinadistributedenvironment
This worked. THanks
Thanks. The file name is passwd not passw BTW.
Thanks, changed to reflect correct name.
Thank you. This worked.