Add more users

There are three default user roles and three different authentication methods to choose from when you set up Splunk with an Enterprise license. Users authenticate with Splunk's built-in system (described below), LDAP or scripted authentication (for third-party auth systems). Either method works with Splunk's roles system.

You must be logged in as a Splunk administrator to add or edit user accounts. The default Admin account password is changeme.

Note: Splunk with a Free license does not contain access control features. To access this page, you must run Splunk with an Enterprise license. For more information, read About Splunk licenses.

Lost admin password

If you lose the password to your admin account, contact Splunk Support for assistance.

Splunk local users

A Splunk Admin can create new users either via Splunk Web or Splunk's CLI. Users can be mapped to Splunk's default roles or any custom roles via authorize.conf

via Splunk Web

To manage users accounts, click the Admin link in the upper right-hand corner:

From the left hand navigation list, click Users.

To add a new user, click the New User button.

To edit existing accounts, click the Edit link under the Action heading.

Enter the new or changed information and then click Save.

via Splunk CLI

From the CLI, use the following commands to add, edit, remove, or list users.

add user [-parameter value] ...
edit user [-parameter value]  ...
remove user [-parameter value]  ...
list user

Required (default) Parameters:
username -- the name of the Splunk user account to manage.
full-name -- the full name of the user in quotes, for example "Nikola Tesla".
role -- either User, Power, or Admin.

Note: The role names are case sensitive.

Optional Parameters:
password -- the password to set for the account.

Examples

The following are examples of editing a user's properties and adding a new user. Only Admin roles can modify user properties. To login, use the splunk login command or -auth, as exemplified in these examples.

Note: These examples assume you have set a Splunk environment variable. If you have not, navigate to $SPLUNK_HOME/bin and run the ./splunk command.

Example 1

Let's say, as an admin on a Splunk server, you want to change the password for another user. The syntax for this looks something like:

# splunk edit user <username> -password <newpassword> -auth <your_username>:<your_password>

Note: When editing a specific user's properties, you can list the user without the -username parameter.

Therefore, to authenticate as user admin to change the password for user newbie:

# splunk edit user newbie -password f8h2.$R -auth admin:adminpw

Example 2

Now, as an admin on a Splunk server, you want to add a new user with more than one role. The syntax for this looks something like:

# splunk add user -username <username> -full-name "First Last" -role <role1> -role <role2> -password <password> -auth <your_username>:<your_password>

Therefore, to add a new user deep, with Everybody and Admin permissions:

# splunk add user -username deep -full-name "the deep" -role Everybody -role Admin -password foobar -auth admin:adminpw

Previous: Find and index data | Next: Start searching

Comments

I changed this page to reflect that full-name is a required parameter only and that the role values are case sensitive.
Posted by araitz on Sep 12 2008, 10:29am
I had a copy of this page open last night and the updated examples entered today had not shown up yet. The old examples did not work, but you are correct that the new examples now showing do work.
Thanks
Posted by SidneyFreed on Sep 11 2008, 11:47am
the examples are not wrong. verified both work.
Posted by kbains on Sep 11 2008, 11:13am
Per tech support the above example is wrong and it should be done like this:
./splunk add user -username userAlpha -full-name "Alpha Person" -role Everybody -role Admin -auth admin:changeme
Posted by SidneyFreed on Sep 11 2008, 11:08am