All Apps and Add-ons
Highlighted

Splunk App for Windows Infrastructure: How to add the winfra-admin role to a user in a search head clustering environment?

Builder

I've been setting up the Splunk for Windows Infrastructure app on my search head cluster. In the instructions it says to add the winfra-admin role to a user. In authorize.conf in $SPLUNK_HOME/etc/system/local I have this:

[role_admin]
importRoles = power;user;winfra-admin
schedule_rtsearch = disabled
srchMaxTime = 8640000

but when I go to Splunk and try to run the setup it still says :

Users and/or groups configured with the winfra-admin user role:
No users or groups with winfra-admin user role detected.

Am I configuring this in the wrong spot?

I would configure this in the GUI, but if clustering is enabled, then changes made via re-enabled menus aren't replicated. So how would I configure this then?

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How to add the winfra-admin role to a user in a search head clustering environment?

Builder

I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"

Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?

View solution in original post

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure: How to add the winfra-admin role to a user in a search head clustering environment?

Explorer

Couple questions:

1) Are you using LDAP for authentication?
2) Are you using a deployment server to manage your distributed environment?

We are using both of the above so I just added an line in the roleMap stanza of the authentication.conf being pushed to all our search heads in the cluster and mapped the winfra-admin group to an existing AD group used in our Splunk deployment.

I think you could also do this via the deployer for your sh cluster by creating an "app" in the %SPLUNK INSTALL%\etc\shcluster\apps that would push the authentication.conf with your roleMap out to the members of your sh cluster.

Hope that helps!

0 Karma