Solved: Accidentally Removed the admin role, now my admin ...

drewrogers · ‎09-15-2017

While trying to create another admin role, somehow I removed all the capabilities from the original admin role. Now I cannot do anything as admin.

Is there anything I can do as root on the splunk server?

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

View solution in original post

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

s2_splunk · ‎09-15-2017

Surely you meant authorize.conf... 🙂 That's the correct place to do it, under [role_admin] stanza. Probably had a bunch of rows with "disabled" in it. Nice recovery! 🙂

jluo_splunk · ‎09-15-2017

Are you on a production instance with others users? Are there users that are brought in through native authentication (not using LDAP, SAML, etc)?

If this is just a test/personal instance, you can remove the passwd file in SPLUNK_HOME/etc and restart splunk. this will recreate an admin under the default login (admin//changeme), but it will also remove all user accounts associated with that splunk instance.

Accidentally Removed the admin role, now my admin account won't work.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!