Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set up user authentication with Splunk's built-in system

Splunk ships with support for three types of authentication systems:

Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:

1. Splunk built-in authentication

2. LDAP authentication (if enabled)

3. Scripted authentication (if enabled)

This topic describes how to create new users and change the properties (like password) of existing users using Splunk's built-in authentication system.

This topic also describes how to assign users to roles in Splunk's role-based access control system. Even if you're using LDAP or scripted authentication to authenticate users, you still need to follow the instructions in this topic on assigning roles to users.

Note: Role names must use lowercase characters. For example: "admin", not "Admin". User names, however, are entirely case-insensitive: "Jacque", "jacque", "JacQue" are all the same to Splunk.

Add and edit users

You can use Splunk Web or the CLI to add and edit users and assign them roles.

Note: Members of multiple roles inherit capabilities and properties from the role with the broadest permissions. In the case of search filters, if a user is assigned to roles with different search filters, they are all combined via OR.

Use Splunk Web

In Splunk Web:

1. Click Manager.

2. Click Access controls.

3. Click Users.

4. Click New or select an existing user to edit that user.

5. Specify or change the information for the user. You can specify the user's:

  • full name.
  • email address.
  • time zone. This allows users to view events and other information in their own time zone.
  • default app. This overrides the default app inherited from the user's role.
  • password.

6. Assign the user to an existing role or roles and click Save.

You can also create a role specifically for a user, defining exactly what access that user has to Splunk. You can then assign the user to that role. For information on roles, read "Add and edit roles".

Use the CLI

In the CLI, use the add user command. Here are some examples:

  • To add a new administrator user with the password "changeme2":
    • ./splunk add user admin2 -password changeme2 -role admin -auth admin:changeme
  • To change an existing user's password to "fflanda":
    • ./splunk edit user admin -password fflanda -role admin -auth admin:changeme

Note: Passwords with special characters that would be interpreted by the shell (for example '$' or '!') must be either escaped or single-quoted. For example:

./splunk edit user admin -password 'fflanda$' -role admin -auth admin:changeme


./splunk edit user admin -password fflanda\$ -role admin -auth admin:changeme

Map a user to a role via Splunk Web

Once you've created a role in authorize.conf, map a user or users to it via Splunk Web:

1. Click on the Manager link in the upper right-hand corner.

2. Click the Users link.

3. Edit an existing user or create a new one.

4. Choose which role to map to from the Role list.

  • Any custom roles you have created in authorize.conf will be listed here.
Set up user authentication
Set up user authentication with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


The Notes regarding special characters within passwords doesn't seem to apply to Windows 2008 R2 servers. Single quotes where taken as part of the password.

September 6, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters