To identify which entries need to be re-encrypted, you may do the following:

1) Go to the location where Splunk is installed. By default, this is /opt/splunk on Linux, and c:\Program Files\Splunk on Windows.
This command will run on window powershell

2) C:\Program Files\Splunk> Get-ChildItem -Recurse *.conf | Select-String -Pattern '\$1\$.' -List
This command will run on linux

3) Run one of the following grep commands
find ./etc/ -type f -name "*.conf" -exec grep -iH "\$1\$." {} \;
find ./etc/ -type f -name "*.conf" | xargs grep -iH "\$1\$."
You should get a list of all files which have a password encrypted using the splunk.secret. Examples of this are:

./etc/system/local/authentication.conf:bindDNpassword = $1$tiw5an/3CRc1dmTN7pdI
./etc/system/local/server.conf:#sslPassword = $1$0X18KG2mW3RH
./etc/system/local/server.conf:sslPassword = $1$1Xl8LyvJ
./etc/system/local/server.conf:pass4SymmKey = $1$hjEodCjgECZH
./etc/system/local/server.conf:pass4SymmKey = $1$hD0kcyHJ
./etc/apps/testapp/default/outputs.conf:pass4SymmKey = $1$liw5fz32GCB0U32Mvdd3MZ4HxFE=
./etc/apps/testapp/default/server.conf:pass4SymmKey = $1$hD0kcyHJ

4) Go to each of the files listed in step #2 or #3, and change the password to the clear text version used in your deployment.
Example: In server.conf, there are at least three locations where pass4SymmKey may be entered. You will need to locate each one, and enter the correct value in clear text. If the password is mySecretPassword, edit the identified file, and make the following change.
Pass4SymmKey = $1$1Xl8LyvJ í Pass4SymmKey = mySecretPassword

5) After all the appropriate changes have been made, stop and restart the Splunk services. All your passwords should be re-encrypted using the new splunk.secret.