Deployment Architecture

Is there a way make adding a new user/role in search head clustering more efficient so I don't have to add it on all search heads?

Path Finder


  • 3 node search head cluster which will grow to about 10 in near future
  • Multi-tenant setup having many clients on the same installbase
  • Roles (e.g. client1_role, client2_role etc) and users within those roles (e.g. client1_role_u1, client1_role_u2, client2_role_u1 etc)


Adding a new user, role requires adding it on all search heads instead of a centrally managed within Splunk setup


  • Make this user, role management efficient and less error-prone
  • Have some UI interface OR some scripting approach to make this happen

Can anyone shed some pointers , share some earlier work that can be re-used?

0 Karma


Hi ronak,

Yes you can! 😉

So what i have done previously is to gather my configuration in a/one central app, lets call it myAuth . That means i am editing the authorization and authorize files manually (well in some cases with scripts) . Then i deploy myAuth with the deployment server or what other means i have for deployment. After the app is deployed i have been using the rest-api endpoints to "force" an update on those, meaning i don't have to restart my search-heads to update the roles and what not.

With search-head clustering and the new functions in splunk 6, this method should still be valid i guess even if deployment server is not used anymore to push confs to indexers and search-heads.

You could also use something link rsync or robocopy to keep the configurations in sync between your nodes .

It is preferable to combine this with AD or LDAP. Since it will spare you some work.

Here you will find some tips on how to update / reload roles and users without the need for a restart;

Hope this helps and gives you some ideas of what you can do

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...