Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- New Install - Default Credentials Invalid
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New Install - Default Credentials Invalid
I installed Splunk Enterprise 6.5.3 on a new WS2012R2 Core VM. I completed the install, changed the services to use a gMSA account and setup relevant groups and GPO settings. I set the services to logon with the gMSA account and started Splunkd and opened http://splunk:8000.
After getting to the webpage, I attempted to login with 'admin' and 'changeme'. The login attempt failed and I tried it a few more times, to make sure it wasn't me. After that I tried IE, thinking that there could be an issue with Firefox, but the login failed there as well. I did some searching on the Internet and noted mentions of the /etc/passwd file within $splunk_home. I went to the /etc folder on my system and found that it does not have the passwd file.
Any ideas as to what the issue is? Is there a way I can change the password though the CLI? I ran splunk edit user admin -password changeme -role admin -auth admin:password and the command is sitting there without completing or erroring out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To reset the admin password you will need to have access to the file system. Rename/move the $SPLUNK_HOME/etc/passwd and restart splunk and the passwd file will be recreated with one login as admin and PW changeme.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The passwd file did not exist. I'm thinking something went wrong with the install, as a new install worked fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you manually check the splunkd.log for any clues ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just installed and instance of Splunk on Windows and the default ID and PSSWD says invalid even after I rename the passwd file and restart splunk. When i start splunk it is showing the user id and password that i used to download the software.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
