Splunk® Enterprise

Admin Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

About users and roles

If you're running Splunk Enterprise, you can create users with passwords and assign them to roles you have created. Splunk Free does not support user authentication.

Splunk comes with a single default user, the admin user. The default password for the admin user is changeme. As the password implies, you should change this password immediately upon installing Splunk.

About roles

A role contains a set of capabilities. For example, whether or not someone is allowed to add inputs or edit saved searches. The various capabilities are listed in "Add and edit roles" and in $SPLUNK_HOME/etc/system/README/authorize.conf.spec. Once a role exists, you can assign users to that role.

Additionally, whenever you create a user, you can automatically create a role for that user.

By default, Splunk comes with the following roles predefined:

  • admin -- this role has the most capabilities assigned to it.
  • power -- this role can edit all shared objects (saved searches, etc) and alerts, tag events, and other similar tasks.
  • user -- this role can create and edit its own saved searches, run searches, edit its own preferences, create and edit event types, and other similar tasks.

Disallowed characters

Usernames stored in Splunk's local authentication cannot contain spaces, colons, or forward slashes.

Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.

Find existing users and roles

To locate an existing user or role in Manager, use the Search bar at the top of the Users or Roles page in the Access Controls section of Splunk Manager. Wildcards are supported. Splunk searches for the string you enter in all available fields by default. To search a particular field, specify that field. For example, to search only email addresses, type "email=<email address or address fragment>:, or to search only the "Full name" field, type "realname=<name or name fragment>. To search for users in a given role, use "roles=".

Search bar.jpg

Advanced indexing strategy
Set up user authentication

This documentation applies to the following versions of Splunk: 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7 View the Article History for its revisions.


Topic is useful however, consider posting or adding to this document the appropriate link to a training video on the subject.

June 25, 2010

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters