Getting Data In

Best way to consolidate System directory configs to existing configs at bundle level?


Hi Folks;

Hopefully this isn't a strange question, but I had a question regarding the consolidation of configuration stanzas from a conf file from the bundle level, to settings that may have been adjusted from Splunk Web on the Search Head. For example, we have the authorization.conf file that we have set all of our group permissions like disabling real time search and such.

I noticed that one of our admins may have adjusted some of the settings from Splunk Web, because I did find a authorization.conf file in the system directory of the search head with one of the group roles adjusted. This is completely fine, and there are no conflicts between the files, but I was wondering what the best way to consolidate these would be.

If i remember correctly, the bundle/app level configs overrule the system level configurations, so would there be any harm in manually adding the differences to my bundle config and leaving the system config as-is... or would I need to remove from one and put it into the other?

Hope that wasn't confusing. Thanks!

0 Karma


The btool command with the debug option might help:

splunk btool authorize list --debug | grep -v system/default

At least you can get a catalog of the settings you're targeting.


I considered that as well and think that may be the best solution at this time. I might have to just do periodic btool checks to see what settings are being written at system level from time to time. It would indicate that someone is changing settings through the UI instead of through bundle level.

Sounds like a good idea for a splunk app thought 😄

0 Karma

Ultra Champion

authorization.conf is, in my mind, a global configuration file, similar to serverclass.conf. I would adjust the $SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authentication.conf in the deployer and distribute.

0 Karma


Thanks for the quick response. So would it be best to leave the one in system on the search heads alone even though it may have some duplicate stanzas? For example, authorize.conf is one that i want to consolidate, and right now i see this:


srchIndexesAllowed = infra_apigtwy
srchIndexesDefault = infra_apigtwy
importRoles = user
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10

But looks like someone removed the schedule rtsearch option from the UI because in the system/local/authorize.conf I have

schedule_rtsearch = disabled

Would I just add the schedule_rtsearch to the first file, and redeploy, or do I need to remove from the second file as well before I redeploy?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!