- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- default_namespace in an LDAP, multi-tenant, SHC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have different groups in our company. Each group gets an app, say acme_search. There are roles associated with the app, for example acme_user. This role is then mapped to an LDAP group. One of the template files included with the base app install is acme_search/default/user-prefs.conf which contains:
[role_acme_user]
default_namespace = acme_search
I've noticed just recently that all users are being sent to the search app by default. I swear this used to work as expected. This really sucks because newbs start creating artifacts, reports, alerts, dashboards, etc in search instead of their "Acme" app. And untangling that mess is not trivial. Not to mention the confusion it sows in the user base.
It appears that the (relatively new?) default app user-prefs is overriding my per app config file. In a standalone SH env, if I put that stanza into user-prefs/local/user-prefs.conf it works. Doing that in an SHC env is tricky/hacky/gross. I presume it would work in system/local as well, while also presenting SHC problems. More to the point, I need it to be bundled with the app. Trying to manage a common user-prefs.conf file for 400+ different roles is not something I want to tackle.
FWIW, btool shows good, but this setting has no impact on actual use.
> splunk btool user-prefs list role_acme
[role_acme_user]
default_namespace = acme_search
Am I missing something? Any workarounds?
Linux
Splunk 6.5.1 (tested on 6.5.2 as well)
SHC and indexer cluster
Thanks,
jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Until there's a better option I've scripted out a little job to concatenate the various default/user-prefs.conf from my template-based apps into one file for the user-prefs app. Not pretty but it works.
#!/bin/bash
# where are our apps?
SPLUNKAPPS=/app/splunk/etc/apps
# if in SHC env, use this instead
#SPLUNKAPPS=/app/splunk/etc/shcluster/apps
# the file we want to write to
FILE=$SPLUNKAPPS/user-prefs/local/user-prefs.conf
# back it up
cp $FILE $FILE.$(date +"%Y%m%d%H%M%S")
# start with a clean slate
echo '[general_default]
default_earliest_time = -60m@m
default_latest_time = now
' > $FILE
# collect up the default/user-prefs, which should only include the bit we want
for n in $(find $SPLUNKAPPS -name user-prefs.conf | grep default | grep -v /user-prefs/)
do
echo "### $n" >> $FILE
cat $n >> $FILE
echo "###" >> $FILE
done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Until there's a better option I've scripted out a little job to concatenate the various default/user-prefs.conf from my template-based apps into one file for the user-prefs app. Not pretty but it works.
#!/bin/bash
# where are our apps?
SPLUNKAPPS=/app/splunk/etc/apps
# if in SHC env, use this instead
#SPLUNKAPPS=/app/splunk/etc/shcluster/apps
# the file we want to write to
FILE=$SPLUNKAPPS/user-prefs/local/user-prefs.conf
# back it up
cp $FILE $FILE.$(date +"%Y%m%d%H%M%S")
# start with a clean slate
echo '[general_default]
default_earliest_time = -60m@m
default_latest_time = now
' > $FILE
# collect up the default/user-prefs, which should only include the bit we want
for n in $(find $SPLUNKAPPS -name user-prefs.conf | grep default | grep -v /user-prefs/)
do
echo "### $n" >> $FILE
cat $n >> $FILE
echo "###" >> $FILE
done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any news here?
Is there still no better solution?
SHC seems not so easy to manage ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does acme_user role has access to acme_search app?
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. They can manually switch to the app, and save artifacts there. But I want them to START in the app by default. Not Launcher.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, we are also running SHC but we are pushing user-prefs/local/user-prefs.conf from Deployer to all SH for all the apps to manage it centrally.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to avoid that. (Also, the Deployer only pushes default. Anything in local on the Deployer is reconciled with default and pushed to the SHC as default. FYI.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I know that is default behaviour when you deploy app from deployer.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
