Solved: Accidentally Removed the admin role, now my admin ...

drewrogers · ‎09-15-2017

While trying to create another admin role, somehow I removed all the capabilities from the original admin role. Now I cannot do anything as admin.

Is there anything I can do as root on the splunk server?

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

View solution in original post

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

s2_splunk · ‎09-15-2017

Surely you meant authorize.conf... 🙂 That's the correct place to do it, under [role_admin] stanza. Probably had a bunch of rows with "disabled" in it. Nice recovery! 🙂

jluo_splunk · ‎09-15-2017

Are you on a production instance with others users? Are there users that are brought in through native authentication (not using LDAP, SAML, etc)?

If this is just a test/personal instance, you can remove the passwd file in SPLUNK_HOME/etc and restart splunk. this will recreate an admin under the default login (admin//changeme), but it will also remove all user accounts associated with that splunk instance.

Accidentally Removed the admin role, now my admin account won't work.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms