Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster

patng_nw
Communicator
‎01-12-2019 05:58 AM

I am migrating from a stand-alone Splunk machine to a search head cluster + indexer cluster architecture. I read many articles but still couldn't figure out the proper way to migrate the roles (authorize.conf) to my new Search Head Cluster.

Questions:

  1. Should I use deployer to propagate it? And if so, should I put my original authorize.conf file under $SPLUNK_HOME/etc/shcluster/system/local on my deployer machine? The official doc (https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads) only mentions the apps/ and users/ subfolder under etc/shcluster, so I got a feeling that only these two subfolders will get pushed when I apply the config bundle.
  2. If not using deployer, what is the proper way?

Thanks.
- Patrick

0 Karma
Reply

nickhills
Ultra Champion
‎01-14-2019 01:44 AM

1.) It depends. - You can certainly use a deployer to push the athorize.conf file to your index peers, however you need to be mindful of the fact that if you choose to make changes to roles via the UI, these will not get copied back to the deployer.

This is not an issue as long as you realize that you may need to check in more than one place for these configuration changes in the future, and you frequently 'merge' your local setting (from SHC members) with the master copy on the deployer. This is one of the management overheads SHC brings.

You are of course able to make all your user and role changes on the SHC members, but the drawback of that approach is if ever your SHC disastrously falls over, you may have to start from scratch and add each role again manually.

Personally, I push roles from the deployer, and manage them all from there. I get sad if people make changes to roles on the UI without letting me know!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

dkeck
Influencer
‎01-14-2019 12:11 AM

Hi,

this might help: https://answers.splunk.com/answers/230771/search-head-cluster-how-to-manage-new-roles-betwee-1.html

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...