Deployment Architecture

Is there a way make adding a new user/role in search head clustering more efficient so I don't have to add it on all search heads?

Path Finder


  • 3 node search head cluster which will grow to about 10 in near future
  • Multi-tenant setup having many clients on the same installbase
  • Roles (e.g. client1_role, client2_role etc) and users within those roles (e.g. client1_role_u1, client1_role_u2, client2_role_u1 etc)


Adding a new user, role requires adding it on all search heads instead of a centrally managed within Splunk setup


  • Make this user, role management efficient and less error-prone
  • Have some UI interface OR some scripting approach to make this happen

Can anyone shed some pointers , share some earlier work that can be re-used?

0 Karma


Hi ronak,

Yes you can! 😉

So what i have done previously is to gather my configuration in a/one central app, lets call it myAuth . That means i am editing the authorization and authorize files manually (well in some cases with scripts) . Then i deploy myAuth with the deployment server or what other means i have for deployment. After the app is deployed i have been using the rest-api endpoints to "force" an update on those, meaning i don't have to restart my search-heads to update the roles and what not.

With search-head clustering and the new functions in splunk 6, this method should still be valid i guess even if deployment server is not used anymore to push confs to indexers and search-heads.

You could also use something link rsync or robocopy to keep the configurations in sync between your nodes .

It is preferable to combine this with AD or LDAP. Since it will spare you some work.

Here you will find some tips on how to update / reload roles and users without the need for a restart;

Hope this helps and gives you some ideas of what you can do

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...