Deployment Architecture

Search head fails to be added back to the Search Head Cluster after performing a cleanup

keio_splunk
Splunk Employee
Splunk Employee

After performing "./splunk clean all" on one of the search head, we are having issue to add the search head back to the search head cluster.

Permission error message is reported when adding the search head back to the cluster:

./splunk add shcluster-member -current_member_uri URI:

You (user=admin) do not have permission to perform this operation (requires capability: edit_search_head_clustering).

0 Karma
1 Solution

keio_splunk
Splunk Employee
Splunk Employee

The $SPLUNK_HOME/etc/passwd file is deleted after performing a "clean all" on the Splunk search head and there is no administrator credential to access the Splunk instance. We will need to restore back the $SPLUNK_HOME/etc/passwd file by copying it over from an existing search or generate a new passwd file by creating the user-seed.conf. Refer to: https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount#Create_admin_cre...

Add the search head cluster member after the passwd file has been restored:

:/opt/splunk/bin# ./splunk add shcluster-member -current_member_uri URI:

View solution in original post

0 Karma

keio_splunk
Splunk Employee
Splunk Employee

The $SPLUNK_HOME/etc/passwd file is deleted after performing a "clean all" on the Splunk search head and there is no administrator credential to access the Splunk instance. We will need to restore back the $SPLUNK_HOME/etc/passwd file by copying it over from an existing search or generate a new passwd file by creating the user-seed.conf. Refer to: https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount#Create_admin_cre...

Add the search head cluster member after the passwd file has been restored:

:/opt/splunk/bin# ./splunk add shcluster-member -current_member_uri URI:

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...