Splunk Enterprise

How to migrate roles from a standard alone Splunk instance to a Splunk Search Head Cluster


I am migrating from a stand-alone Splunk machine to a search head cluster + indexer cluster architecture. I read many articles but still couldn't figure out the proper way to migrate the roles (authorize.conf) to my new Search Head Cluster.


  1. Should I use deployer to propagate it? And if so, should I put my original authorize.conf file under $SPLUNK_HOME/etc/shcluster/system/local on my deployer machine? The official doc (https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/Migratefromstandalonesearchheads) only mentions the apps/ and users/ subfolder under etc/shcluster, so I got a feeling that only these two subfolders will get pushed when I apply the config bundle.
  2. If not using deployer, what is the proper way?

- Patrick

0 Karma

Ultra Champion

1.) It depends. - You can certainly use a deployer to push the athorize.conf file to your index peers, however you need to be mindful of the fact that if you choose to make changes to roles via the UI, these will not get copied back to the deployer.

This is not an issue as long as you realize that you may need to check in more than one place for these configuration changes in the future, and you frequently 'merge' your local setting (from SHC members) with the master copy on the deployer. This is one of the management overheads SHC brings.

You are of course able to make all your user and role changes on the SHC members, but the drawback of that approach is if ever your SHC disastrously falls over, you may have to start from scratch and add each role again manually.

Personally, I push roles from the deployer, and manage them all from there. I get sad if people make changes to roles on the UI without letting me know!

If my comment helps, please give it a thumbs up!
0 Karma

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...