Setup
Challenge
Adding a new user, role requires adding it on all search heads instead of a centrally managed within Splunk setup
Need
Can anyone shed some pointers , share some earlier work that can be re-used?
Hi ronak,
Yes you can! 😉
So what i have done previously is to gather my configuration in a/one central app, lets call it myAuth . That means i am editing the authorization and authorize files manually (well in some cases with scripts) . Then i deploy myAuth with the deployment server or what other means i have for deployment. After the app is deployed i have been using the rest-api endpoints to "force" an update on those, meaning i don't have to restart my search-heads to update the roles and what not.
With search-head clustering and the new functions in splunk 6, this method should still be valid i guess even if deployment server is not used anymore to push confs to indexers and search-heads.
You could also use something link rsync or robocopy to keep the configurations in sync between your nodes .
It is preferable to combine this with AD or LDAP. Since it will spare you some work.
Here you will find some tips on how to update / reload roles and users without the need for a restart;
Hope this helps and gives you some ideas of what you can do