About users and roles
If you're running Splunk Enterprise, you can create users with passwords and assign them to roles you have created. Splunk Free does not support user authentication.
Splunk comes with a single default user, the admin user. The default password for the admin user is changeme. As the password implies, you should change this password immediately upon installing Splunk.
A role contains a set of capabilities. For example, whether or not someone is allowed to add inputs or edit saved searches. The various capabilities are listed in "Add and edit roles" and in
$SPLUNK_HOME/etc/system/README/authorize.conf.spec. Once a role exists, you can assign users to that role.
Additionally, whenever you create a user, you can automatically create a role for that user.
By default, Splunk comes with the following roles predefined:
- admin -- this role has the most capabilities assigned to it.
- power -- this role can edit all shared objects (saved searches, etc) and alerts, tag events, and other similar tasks.
- user -- this role can create and edit its own saved searches, run searches, edit its own preferences, create and edit event types, and other similar tasks.
Usernames stored in Splunk's local authentication cannot contain spaces, colons, or forward slashes.
Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.
Find existing users and roles
To locate an existing user or role in Manager, use the Search bar at the top of the Users or Roles page in the Access Controls section of Splunk Manager. Wildcards are supported. Splunk searches for the string you enter in all available fields by default. To search a particular field, specify that field. For example, to search only email addresses, type "email=<email address or address fragment>:, or to search only the "Full name" field, type "realname=<name or name fragment>. To search for users in a given role, use "roles=".
Advanced indexing strategy
Set up user authentication
This documentation applies to the following versions of Splunk® Enterprise: 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7