Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster

patng_nw
Communicator
‎01-12-2019 05:58 AM

I am migrating from a stand-alone Splunk machine to a search head cluster + indexer cluster architecture. I read many articles but still couldn't figure out the proper way to migrate the roles (authorize.conf) to my new Search Head Cluster.

Questions:

  1. Should I use deployer to propagate it? And if so, should I put my original authorize.conf file under $SPLUNK_HOME/etc/shcluster/system/local on my deployer machine? The official doc (https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads) only mentions the apps/ and users/ subfolder under etc/shcluster, so I got a feeling that only these two subfolders will get pushed when I apply the config bundle.
  2. If not using deployer, what is the proper way?

Thanks.
- Patrick

0 Karma
Reply

nickhills
Ultra Champion
‎01-14-2019 01:44 AM

1.) It depends. - You can certainly use a deployer to push the athorize.conf file to your index peers, however you need to be mindful of the fact that if you choose to make changes to roles via the UI, these will not get copied back to the deployer.

This is not an issue as long as you realize that you may need to check in more than one place for these configuration changes in the future, and you frequently 'merge' your local setting (from SHC members) with the master copy on the deployer. This is one of the management overheads SHC brings.

You are of course able to make all your user and role changes on the SHC members, but the drawback of that approach is if ever your SHC disastrously falls over, you may have to start from scratch and add each role again manually.

Personally, I push roles from the deployer, and manage them all from there. I get sad if people make changes to roles on the UI without letting me know!

If my comment helps, please give it a thumbs up!
0 Karma
Reply

dkeck
Influencer
‎01-14-2019 12:11 AM

Hi,

this might help: https://answers.splunk.com/answers/230771/search-head-cluster-how-to-manage-new-roles-betwee-1.html

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...