I add users in authentication.conf. I push them to SH. The updated file resides on .../primary/..
But when i reload (which i have to do for some reason), a new copy of authentication.conf is automatically created and is placed in ../etc/system/local/
this system/local copy overrides the one in primary.
Now i have to delete this system/local copy every time i add users to see newly added users in UI.
Is there a way to avoid this step ?
Which authentication.conf are you adding users to? Are you manually adding via the auth.conf or via the Splunk Web UI? I also don't understand your reference to ../primary/..
They should be added to:
$SPLUNK_HOME/etc/system/local/authentication.conf.
The system should never overwrite anything in your:
$SPLUNK_HOME/etc/system/local/
directory as a general rule.
Which authentication.conf are you adding users to? Are you manually adding via the auth.conf or via the Splunk Web UI? I also don't understand your reference to ../primary/..
They should be added to:
$SPLUNK_HOME/etc/system/local/authentication.conf.
The system should never overwrite anything in your:
$SPLUNK_HOME/etc/system/local/
directory as a general rule.