Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Unlock a user account

If a user locks themself out of their Splunk platform instance account, as an administrator, you can unlock the account.

To change a password for a Splunk instance user account, see Change a password.

Unlocking a user account applies when you use the native authentication scheme only. It does not apply when using other authentication schemes.

Unlock a user account in Splunk Web

If an administrator has locked themself out of their account, they must reset their password by using the "Unlock a administrator from the command line" procedure later in this topic.

  1. In Splunk Web, select Settings > Users.
  2. In the Users page, check the Status column to locate the user that is locked.
  3. In the Action column for that user, select Unlock. The user can log in immediately with the correct credentials.

Unlock a user account from the command line in Splunk Enterprise

A Splunk Enterprise administrator can unlock a user account if they have access to the Splunk CLI and write access to the disk on which the Splunk Enterprise instance runs.

  1. Open a shell or command prompt.
  2. Type the following CLI command:
    splunk edit user <locked username> -locked-out false -auth admin:<yourpassword>
  3. Exit the shell or command prompt.
  4. Try to log into the Splunk platform instance as the locked out user.

Unlock an administrator account from the command line in Splunk Enterprise

If a Splunk platform instance administrator needs to unlock the administrator account on an instance, they must have access to the disk on which the Splunk Enterprise instance runs.

  1. Open a shell or command prompt.
  2. Stop The Splunk platform instance:
    splunk stop
  3. Temporarily move the password file to a backup:
    mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
  4. Follow the instructions in Create admin credentials with user-seed.conf to recreate the administrator user.
  5. Confirm you can log into the instance with the new administrator username and password.
  6. After you confirm a successful log in to the instance, stop the instance again.
  7. Using a text editor, open both the backup password file and the new password file that the Splunk platform created when you created the new administrator user earlier in this procedure.
  8. Copy all of the user information, except for the administrator user, from the backup password file you created earlier to the new password file.
  9. Save the file and close the text editor.
  10. Restart the Splunk platform instance.
  11. Log into the Splunk platform instance.

Unlock user accounts in distributed Splunk platform environments

If a user on a search head cluster is locked out, they are only locked out on the single member of the cluster. Results from other search heads will not show the user as locked out.

If a user or admin is locked out, an admin can:

  • Wait for the user's lockout period to expire.
  • Unlock the user, using the instructions on this page.
Last modified on 24 June, 2024
Password best practices for users   Change a user password

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters