Deployment Architecture

User migration to Search Head

Path Finder

We have migrated from a single Indexer system to a Search Head + Indexer.
All apps and users were copied to the Search Head.
Authentication is LDAP.

Users on the search head do not see their own private objects (searches, extractions, etc.) although that information is present in the user's folder .conf files.
Global and App level objects are shared and accessible.

From the documentation, I can't find any process to "refresh" or "rebuild" the knowledge of Splunk of there private objects (which I believe don't even need stanzas in the user's local.meta file). Nevertheless, everything was transfered from the original indexer.

In the old indexer, where all the objects still remain, it's possible (even with the admin) to see all the user's private objects.

0 Karma

Path Finder

Ok, I just found the problem.
The copy of the user folders from the Indexer to the Search head resulted in invalid folder ownership and permissions on the Search Head. So, not even the admin could see the objects.

Actually, users were not even able to save new searches but that had not been reported until now.

The issue was happening in MOST of the folders, but not all, that's why some objects were being listed.

Then, somehow the Window Server was not allowing Ownership changing (folders had "unknown user") so we had to re-copy everything again but this time it worked 😉