How to Force Reset Splunk Admin Credentials
Sometimes, you may need to reset the admin credentials for Splunk’s GUI when you don’t have access to valid Splunk GUI credentials. This procedure allows you to reset the admin password from the command line interface (CLI).
Please note that during this process, all current users will not be able to log in until the password backup is restored. The process is described using Linux file paths, but the process is the same on Windows.
Steps to Reset the Password for the admin User
Note: Run the following commands as the boot-start user (usually splunk) to prevent permission issues.
- Create a
/opt/splunk/etc/system/local/user-seed.conffile with the following content:
[user_info]
USERNAME = admin
PASSWORD = password123
You can replace password123 with the desired new temporary password for the admin user. You should reset this password once you are able to log back into the GUI.
- Backup the current
passwdfile by running the following command:
mv /opt/splunk/etc/passwd /opt/splunk/etc/passwd.bak
- Restart Splunk to apply the changes:
/opt/splunk/bin/splunk restart
After restarting Splunk, the admin user’s password will be reset to the value specified before.
Restore Users from Old passwd File
Note: Run the following commands as the boot-start user (usually splunk) to prevent permission issues.
If you need users from the old passwd file, add the contents of the old passwd.bak back to the newly generated passwd file. Be sure to remove the old line for the admin user and only keep the new line.