topic Re: How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster in Splunk Enterprise

How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster

patng_nw — Sat, 12 Jan 2019 13:58:33 GMT

I am migrating from a stand-alone Splunk machine to a search head cluster + indexer cluster architecture. I read many articles but still couldn't figure out the proper way to migrate the roles (authorize.conf) to my new Search Head Cluster.

Questions:

Should I use deployer to propagate it? And if so, should I put my original authorize.conf file under $SPLUNK_HOME/etc/shcluster/system/local on my deployer machine? The official doc (https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads) only mentions the apps/ and users/ subfolder under etc/shcluster, so I got a feeling that only these two subfolders will get pushed when I apply the config bundle.
If not using deployer, what is the proper way?

Thanks.
- Patrick

Re: How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster

dkeck — Mon, 14 Jan 2019 08:11:56 GMT

Hi,

this might help: https://answers.splunk.com/answers/230771/search-head-cluster-how-to-manage-new-roles-betwee-1.html

Re: How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster

nickhills — Mon, 14 Jan 2019 09:44:37 GMT

1.) It depends. - You can certainly use a deployer to push the athorize.conf file to your index peers, however you need to be mindful of the fact that if you choose to make changes to roles via the UI, these will not get copied back to the deployer.

This is not an issue as long as you realize that you may need to check in more than one place for these configuration changes in the future, and you frequently 'merge' your local setting (from SHC members) with the master copy on the deployer. This is one of the management overheads SHC brings.

You are of course able to make all your user and role changes on the SHC members, but the drawback of that approach is if ever your SHC disastrously falls over, you may have to start from scratch and add each role again manually.

Personally, I push roles from the deployer, and manage them all from there. I get sad if people make changes to roles on the UI without letting me know!