All Apps and Add-ons

Splunk App for Windows Infrastructure: How to add the winfra-admin role to a user in a search head clustering environment?

tkwaller
Builder

I've been setting up the Splunk for Windows Infrastructure app on my search head cluster. In the instructions it says to add the winfra-admin role to a user. In authorize.conf in $SPLUNK_HOME/etc/system/local I have this:

[role_admin]
importRoles = power;user;winfra-admin
schedule_rtsearch = disabled
srchMaxTime = 8640000

but when I go to Splunk and try to run the setup it still says :

Users and/or groups configured with the winfra-admin user role:
No users or groups with winfra-admin user role detected.

Am I configuring this in the wrong spot?

I would configure this in the GUI, but if clustering is enabled, then changes made via re-enabled menus aren't replicated. So how would I configure this then?

0 Karma
1 Solution

tkwaller
Builder

I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"

Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?

View solution in original post

0 Karma

wild0104
Explorer

Couple questions:

1) Are you using LDAP for authentication?
2) Are you using a deployment server to manage your distributed environment?

We are using both of the above so I just added an line in the roleMap stanza of the authentication.conf being pushed to all our search heads in the cluster and mapped the winfra-admin group to an existing AD group used in our Splunk deployment.

I think you could also do this via the deployer for your sh cluster by creating an "app" in the %SPLUNK INSTALL%\etc\shcluster\apps that would push the authentication.conf with your roleMap out to the members of your sh cluster.

Hope that helps!

0 Karma

tkwaller
Builder

I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"

Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...