I've been setting up the Splunk for Windows Infrastructure app on my search head cluster. In the instructions it says to add the winfra-admin role to a user. In authorize.conf in $SPLUNK_HOME/etc/system/local I have this:
[role_admin] importRoles = power;user;winfra-admin schedule_rtsearch = disabled srchMaxTime = 8640000
but when I go to Splunk and try to run the setup it still says :
Users and/or groups configured with the winfra-admin user role: No users or groups with winfra-admin user role detected.
Am I configuring this in the wrong spot?
I would configure this in the GUI, but if clustering is enabled, then changes made via re-enabled menus aren't replicated. So how would I configure this then?
I think I should be able to fix this by running:
"./splunk edit user admin -role admin -role winfra-admin"
Anyone know if this is still the proper procedure?
Would this have to be done on each search head cluster member or will it replicate?
1) Are you using LDAP for authentication?
2) Are you using a deployment server to manage your distributed environment?
We are using both of the above so I just added an line in the roleMap stanza of the authentication.conf being pushed to all our search heads in the cluster and mapped the winfra-admin group to an existing AD group used in our Splunk deployment.
I think you could also do this via the deployer for your sh cluster by creating an "app" in the %SPLUNK INSTALL%\etc\shcluster\apps that would push the authentication.conf with your roleMap out to the members of your sh cluster.
Hope that helps!