Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search head fails to be added back to the Search Head Cluster after performing a cleanup

keio_splunk
Splunk Employee
Splunk Employee
‎07-14-2019 11:44 PM

After performing "./splunk clean all" on one of the search head, we are having issue to add the search head back to the search head cluster.

Permission error message is reported when adding the search head back to the cluster:

./splunk add shcluster-member -current_member_uri URI:

You (user=admin) do not have permission to perform this operation (requires capability: edit_search_head_clustering).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎07-14-2019 11:50 PM

The $SPLUNK_HOME/etc/passwd file is deleted after performing a "clean all" on the Splunk search head and there is no administrator credential to access the Splunk instance. We will need to restore back the $SPLUNK_HOME/etc/passwd file by copying it over from an existing search or generate a new passwd file by creating the user-seed.conf. Refer to: https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount#Create_admin_cre...

Add the search head cluster member after the passwd file has been restored:

:/opt/splunk/bin# ./splunk add shcluster-member -current_member_uri URI:

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎07-14-2019 11:50 PM

The $SPLUNK_HOME/etc/passwd file is deleted after performing a "clean all" on the Splunk search head and there is no administrator credential to access the Splunk instance. We will need to restore back the $SPLUNK_HOME/etc/passwd file by copying it over from an existing search or generate a new passwd file by creating the user-seed.conf. Refer to: https://docs.splunk.com/Documentation/Splunk/latest/Security/Secureyouradminaccount#Create_admin_cre...

Add the search head cluster member after the passwd file has been restored:

:/opt/splunk/bin# ./splunk add shcluster-member -current_member_uri URI:

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...