Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Search head pooling and local users
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm testing search head pooling and I noticed, that when I add new user on first search head, second search head does not see that user and it cannot log in. I see directory of that user in the SHARED_PATH/etc/users/, but it is only visible on the user list by that search head, where I have created it. The same happen when I create user on the second search head - the first one does not see that user on the user list.
Is this a bug? Feature? How to fix it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that we should call this a feature 🙂
We have been using search head pooling in the past with local authentication and the issue was the same. We have agreed to define new users only on one of the search heads and replicated the files with the users and roles by cron job once per day:
$SPLUNK_HOME/etc /passwd (User, passwords, role assignment)
$SPLUNK_HOME/etc/system/local/authorize.conf (role definition)
But this is just kind of work around. Later on we switched to a scripted authentication system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that we should call this a feature 🙂
We have been using search head pooling in the past with local authentication and the issue was the same. We have agreed to define new users only on one of the search heads and replicated the files with the users and roles by cron job once per day:
$SPLUNK_HOME/etc /passwd (User, passwords, role assignment)
$SPLUNK_HOME/etc/system/local/authorize.conf (role definition)
But this is just kind of work around. Later on we switched to a scripted authentication system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It´s still happening on 6.1.1 but i could see that everything was being written on the nfs folder, not on the /opt/splunk folder.
Re-starting splunk does not solve it.
App instalation is automatic on the other search head, i mean, the one that was not installing the App.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If obects like reports/alerts/dashboards are available across all search-heads in a pool, isn't it logical to assume that so would be the users? But they are not! (On 6.2.2)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
