I am in the process of migrating our Splunk indexer to a new server. I have everything setup, and would like to force a select few users to use the new server instead of the old.
The best design I have created so far is to just disable the user's from logging into the old system. This will be a constant reminder for them to use the new Splunk server. Both Splunk servers point to the same LDAP server, so I cannot alter their LDAP settings.
How can I disable a user from logging into Splunk?
I dont think you can disable an LDAP user from a particular Splunk server.
However if you're using LDAP and you then edit one of the LDAP users in Splunk's Manager interface (yes this is bizarre), that submitting the edit form will create a local splunk user, and I think that this local user then takes precedence over the same username in LDAP for subsequent logins.
If I'm right, then you could go into Manager as the admin user, change the other user's password there, and although it wouldnt tell them why they suddenly cant log in, it might serve your needs.
(login as admin, go to Manager > Access Controls > Users, page/search your way to the user in question, then click on the username, change their password)
It seems to me that you can set up a new app and display a message and link to the new server. (I guess you can auto refrish the new server if you like.) Then change your selected users to use this new app as default. This will do the trick if they just log in, but if they have a link to a specific view, it wont.
Thanks for the answer. However, when I log in with my Splunk admin account, the "change password" options are blanked out to where I cannot change the password.
Any other ideas?