All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Windows Infrastructure: How to add the winfra-admin role to a user in a search head clustering environment?

tkwaller
Builder
‎05-05-2016 05:55 AM

I've been setting up the Splunk for Windows Infrastructure app on my search head cluster. In the instructions it says to add the winfra-admin role to a user. In authorize.conf in $SPLUNK_HOME/etc/system/local I have this:

[role_admin]
importRoles = power;user;winfra-admin
schedule_rtsearch = disabled
srchMaxTime = 8640000

but when I go to Splunk and try to run the setup it still says :

Users and/or groups configured with the winfra-admin user role:
No users or groups with winfra-admin user role detected.

Am I configuring this in the wrong spot?

I would configure this in the GUI, but if clustering is enabled, then changes made via re-enabled menus aren't replicated. So how would I configure this then?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tkwaller
Builder
‎05-05-2016 07:12 AM

I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"

Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

wild0104
Explorer
‎07-19-2016 01:27 PM

Couple questions:

1) Are you using LDAP for authentication?
2) Are you using a deployment server to manage your distributed environment?

We are using both of the above so I just added an line in the roleMap stanza of the authentication.conf being pushed to all our search heads in the cluster and mapped the winfra-admin group to an existing AD group used in our Splunk deployment.

I think you could also do this via the deployer for your sh cluster by creating an "app" in the %SPLUNK INSTALL%\etc\shcluster\apps that would push the authentication.conf with your roleMap out to the members of your sh cluster.

Hope that helps!

0 Karma
Reply
Solved! Jump to solution
Solution

tkwaller
Builder
‎05-05-2016 07:12 AM

I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"

Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...