Splunk
Splunkmonitoring3 credentials
Local User Password
splunk / local-user-password
Splunk Enterprise supports local users and roles for Splunk Web and REST API access. Local user credentials are stored in Splunk configuration and authentication stores rather than being universal static defaults.
Looks like
pattern^\s*password\s*=\s*[^\r\n]+$Location
$SPLUNK_HOME/etc/passwd, authentication.conf, authorize.conflocal user password hashes and authentication/role configuration
Splunk Web, /servicesSplunk Web login and management REST API endpoints
deployment server secrets, app passwords, and infrastructure vault entries
deployment apps, Ansible roles, Docker Compose files, and committed Splunk configs
splunkd logs, authentication logs, and setup output
Notes
There is no universal Splunk admin password. The initial administrator password is set during installation, image startup, or provisioning.
Authentication Token
splunk / authentication-token
Splunk Enterprise supports authentication tokens for REST API access. Tokens are bearer-like secrets used by clients instead of repeatedly sending interactive user credentials.
Location
AuthorizationSplunk token authorization header used for REST API requests
automation config, .env files, Splunk app config, and deployment manifests
SPLUNK_TOKEN, SPLUNK_AUTH_TOKENCI/CD variables, deployment server secrets, and cloud secret managers
Splunk SDK scripts, tests, and committed REST clients
REST client traces and automation logs
Notes
Token blast radius depends on the Splunk user, role, audience, and token settings configured by administrators.
splunk.secret Shared Secret
splunk / splunk-secret
Splunk uses internal secret material such as splunk.secret to protect and decrypt stored credentials in configuration files. Copying or leaking this file can expose encrypted app credentials in Splunk configurations.
Location
$SPLUNK_HOME/etc/auth/splunk.secretSplunk instance secret used to protect stored credentials
Splunk backups, deployment artifacts, VM images, and vault entries
cloned Splunk images or containers containing splunk.secret
accidentally committed Splunk etc directories and deployment bundles
Notes
splunk.secret is not a login password, but it can be required to decrypt encrypted credentials stored in Splunk app configuration.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.