Thanks for posting this solution. For anyone else having this problem, look for passwords.conf in every app that is is installed on the same searchhead as the Crowdstrike app and manually try to decrypt/dehash the values to figure out which passwords.conf Splunk (and therefore also Crowdstrike) is unable to decrypt.   find $SPLUNK_HOME/  -name "passwords.conf"    $SPLUNK_HOME/bin/splunk show-decrypted --value '$value' where $value is what is after  password =  ...  under each stanza in passwords.conf If your decryption fails, that means the password was hashed on another splunk server with another splunk.secret than this, and then copied over which makes the passwords.conf hash value unreadable. Decrypt the password on the splunk instance that the app came from originally to figure out the password. Then encrypt it using the same splunk.secret on the destination splunk server whichever way you prefer (I used a tool called splunksecrets: pip3 install splunksecrets). Past the value back into passwords.conf. Try to decrypt again to make sure the password stayed the same. ... View more