While trying to create another admin role, somehow I removed all the capabilities from the original admin role. Now I cannot do anything as admin.
Is there anything I can do as root on the splunk server?
I edited the authorize.conf file in /etc/system/local and fixed the issue.
edit: fixed filename, thanks!
I edited the authorize.conf file in /etc/system/local and fixed the issue.
edit: fixed filename, thanks!
Surely you meant authorize.conf... 🙂 That's the correct place to do it, under [role_admin] stanza. Probably had a bunch of rows with "disabled" in it. Nice recovery! 🙂
Are you on a production instance with others users? Are there users that are brought in through native authentication (not using LDAP, SAML, etc)?
If this is just a test/personal instance, you can remove the passwd file in SPLUNK_HOME/etc and restart splunk. this will recreate an admin under the default login (admin//changeme), but it will also remove all user accounts associated with that splunk instance.