Hopefully this isn't a strange question, but I had a question regarding the consolidation of configuration stanzas from a conf file from the bundle level, to settings that may have been adjusted from Splunk Web on the Search Head. For example, we have the authorization.conf file that we have set all of our group permissions like disabling real time search and such.
I noticed that one of our admins may have adjusted some of the settings from Splunk Web, because I did find a authorization.conf file in the system directory of the search head with one of the group roles adjusted. This is completely fine, and there are no conflicts between the files, but I was wondering what the best way to consolidate these would be.
If i remember correctly, the bundle/app level configs overrule the system level configurations, so would there be any harm in manually adding the differences to my bundle config and leaving the system config as-is... or would I need to remove from one and put it into the other?
Hope that wasn't confusing. Thanks!
authorization.conf is, in my mind, a global configuration file, similar to
serverclass.conf. I would adjust the
$SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authentication.conf in the deployer and distribute.
Thanks for the quick response. So would it be best to leave the one in system on the search heads alone even though it may have some duplicate stanzas? For example, authorize.conf is one that i want to consolidate, and right now i see this:
[role_mysample_user] srchIndexesAllowed = infra_apigtwy srchIndexesDefault = infra_apigtwy importRoles = user srchJobsQuota = 5 cumulativeSrchJobsQuota = 10
But looks like someone removed the schedule rtsearch option from the UI because in the system/local/authorize.conf I have
[role_mysample_user] schedule_rtsearch = disabled
Would I just add the schedule_rtsearch to the first file, and redeploy, or do I need to remove from the second file as well before I redeploy?
The btool command with the debug option might help:
splunk btool authorize list --debug | grep -v system/default
At least you can get a catalog of the settings you're targeting.
I considered that as well and think that may be the best solution at this time. I might have to just do periodic btool checks to see what settings are being written at system level from time to time. It would indicate that someone is changing settings through the UI instead of through bundle level.
Sounds like a good idea for a splunk app thought 😄