I followed the instructions on https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads and thought that I could actually migrate users (not just their settings) from a standalone Splunk instance to a new Search Head Cluster. However, I now realize that only the users' settings were migrated, but not the actual users themselves. Is there a way to migrate users? I don't want to re-create every single on the new cluster which is extremely tedious.
I am not sure this is possible.
Assuming you are referring to 'Splunk Local' users (as opposed to LDAP/SAML users)
The issue is that Splunk uses its own encryption seed to secure passwords and other secrets. This seed is generated when Splunk first starts, and it can not (to my knowledge) be exported or copied.
This means that any configuration files which contain encrypted data will not be readable on your new system.
Whilst you could copy the ect/passwd files, I think you would be left needing to reset every users password, and since i doubt this approach would be supported anyway, may well be more hassle than its worth.
Your alternative approaches are to script the creation of new users via the rest API, or to consider using an external authentication system like LDAP/SAML - The latter would be my suggestion if available to you.
Do you mean user roles?
These are stored under authorize.conf file
so try copying
let me know if this helps!
See my new comment on my own post. I did the copy (plus some merging), and somehow it works, although I don't fully understand how the encryption part worked out.
As an experiment, I did the following:
- On each search head, I made a backup of etc/passwd (which contains only the admin user)
- I then copied the etc/passwd file from my stand-alone Splunk to each search head
- On the copied passwd file, I replaced the admin entry with the one from my backup passwd
- I restarted all my search heads
- I can successfully login to my search head using the users (with their passwords) contained in the copied passwd.
- I can also login to my search head using the admin and its pwd which I specified when I setup the new search header cluster
Honestly I don't know why it works (since I know Splunk will encrypt the password and possibly using different key), but it works for me.