Unlock a user account
If a user locks themself out of their Splunk platform instance account, as an administrator, you can unlock the account.
To change a password for a Splunk instance user account, see Change a password.
Unlocking a user account applies when you use the native authentication scheme only. It does not apply when using other authentication schemes.
Unlock a user account in Splunk Web
If an administrator has locked themself out of their account, they must reset their password by using the "Unlock a administrator from the command line" procedure later in this topic.
- In Splunk Web, select Settings > Users.
- In the Users page, check the Status column to locate the user that is locked.
- In the Action column for that user, select Unlock. The user can log in immediately with the correct credentials.
Unlock a user account from the command line in Splunk Enterprise
A Splunk Enterprise administrator can unlock a user account if they have access to the Splunk CLI and write access to the disk on which the Splunk Enterprise instance runs.
- Open a shell or command prompt.
- Type the following CLI command:
splunk edit user <locked username> -locked-out false -auth admin:<yourpassword>
- Exit the shell or command prompt.
- Try to log into the Splunk platform instance as the locked out user.
Unlock an administrator account from the command line in Splunk Enterprise
If a Splunk platform instance administrator needs to unlock the administrator account on an instance, they must have access to the disk on which the Splunk Enterprise instance runs.
- Open a shell or command prompt.
- Stop The Splunk platform instance:
splunk stop
- Temporarily move the password file to a backup:
mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak
- Follow the instructions in Create admin credentials with user-seed.conf to recreate the administrator user.
- Confirm you can log into the instance with the new administrator username and password.
- After you confirm a successful log in to the instance, stop the instance again.
- Using a text editor, open both the backup password file and the new password file that the Splunk platform created when you created the new administrator user earlier in this procedure.
- Copy all of the user information, except for the administrator user, from the backup password file you created earlier to the new password file.
- Save the file and close the text editor.
- Restart the Splunk platform instance.
- Log into the Splunk platform instance.
Unlock user accounts in distributed Splunk platform environments
If a user on a search head cluster is locked out, they are only locked out on the single member of the cluster. Results from other search heads will not show the user as locked out.
If a user or admin is locked out, an admin can:
- Wait for the user's lockout period to expire.
- Unlock the user, using the instructions on this page.
Password best practices for users | Change a user password |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!