Getting Data In

Is the Active Directory group name specified in authentication.conf case sensitive, and what will happen if we have 2 indexes with the same name in indexes.conf?

Contributor

Hi Fellow Splunkers,

I have two questions:

1) Is the Active Directory group name specified in authentication.conf case sensitive? I mean, do we have to specify the same name that is used to create the group on the AD server?

2) What will happen if we specify same index name and related config in indexes.conf file on the cluster master and run the splunk apply cluster-bundle command?

Thanks in advance

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Answer 1. No, nothing in LDAP/AD is case sensitive to my knowledge.

Answer 2. What do you mean by "same index name"? You cant have two indexes named the same. As to what will happen, Splunk will take the last lines of the config that were duplicates.

Example 1

.../master-apps/_cluster/local/indexes.conf begins...

[index1]
maxDataSizeMB = 100

...more indexes here...

[index1]
maxDataSizeMB = 2000

... end of file ...

Splunk will use maxDataSizeMB = 2000

  Example 2

  .../master-apps/_cluster/**DEFAULT**/indexes.conf begins...

  [index1]
  maxDataSizeMB = 2000

  ....end of file....

  .../master-apps/_cluster/**LOCAL**/indexes.conf begins...

  [index1]
  maxDataSizeMB = 100

  ....end of file....

Splunk will use maxDataSizeMB = 100

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Updatepeerconfigurations

View solution in original post

Communicator

LDAP group names ARE case sensitive to Splunk (but not to LDAP or AD, which are case aware, not case sensitive). If you put in the group in the incorrect case, they will be ignored by Splunk.

SplunkTrust
SplunkTrust

Answer 1. No, nothing in LDAP/AD is case sensitive to my knowledge.

Answer 2. What do you mean by "same index name"? You cant have two indexes named the same. As to what will happen, Splunk will take the last lines of the config that were duplicates.

Example 1

.../master-apps/_cluster/local/indexes.conf begins...

[index1]
maxDataSizeMB = 100

...more indexes here...

[index1]
maxDataSizeMB = 2000

... end of file ...

Splunk will use maxDataSizeMB = 2000

  Example 2

  .../master-apps/_cluster/**DEFAULT**/indexes.conf begins...

  [index1]
  maxDataSizeMB = 2000

  ....end of file....

  .../master-apps/_cluster/**LOCAL**/indexes.conf begins...

  [index1]
  maxDataSizeMB = 100

  ....end of file....

Splunk will use maxDataSizeMB = 100

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Updatepeerconfigurations

View solution in original post

Contributor

Thanks jkat54, this was very helpful in understanding this.

0 Karma

SplunkTrust
SplunkTrust

YVW. Understanding which config file will take precedence can be tricky.

Hence the need for some sort of "Debug" command. Alas one exists!

./splunk cmd btool indexes list --debug

or

./splunk cmd btool {name of config file here} list --debug

0 Karma