Solved: Re: Accidentally Removed the admin role, now my ad...

drewrogers · ‎09-15-2017

While trying to create another admin role, somehow I removed all the capabilities from the original admin role. Now I cannot do anything as admin.

Is there anything I can do as root on the splunk server?

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

View solution in original post

drewrogers · ‎09-15-2017

I edited the authorize.conf file in /etc/system/local and fixed the issue.

edit: fixed filename, thanks!

s2_splunk · ‎09-15-2017

Surely you meant authorize.conf... 🙂 That's the correct place to do it, under [role_admin] stanza. Probably had a bunch of rows with "disabled" in it. Nice recovery! 🙂

jluo_splunk · ‎09-15-2017

Are you on a production instance with others users? Are there users that are brought in through native authentication (not using LDAP, SAML, etc)?

If this is just a test/personal instance, you can remove the passwd file in SPLUNK_HOME/etc and restart splunk. this will recreate an admin under the default login (admin//changeme), but it will also remove all user accounts associated with that splunk instance.

Accidentally Removed the admin role, now my admin account won't work.

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!