Hi all,

I have an interesting problem I discovered. Recently, we migrated our Splunk Cluster to a different cluster hosted somewhere else. Since we use LDAP authentication , we need to migrate over User information as well as the LDAP strategies so that the user experience is not affected by the move. We copied over the authorize.conf, authentication.conf as well as the user folder for their KO. There were over 100 different users that we did this.

We deployed the user folder using the new cluster's Deployer and we copied over the authorize.conf/authentication.conf manually to the system/local folder.

We verified user access and various users were able to verify that they can login. However,  we  (the splunk Admins) realized that we cannot see these users logging in from the authentication endpoint. When we click the User tab under "Users and Authentication" in Settings, the GUI only shows that there are 10 users (including the admins). The rest endpoint ( |rest /services/authentication/users) also says the same thing. 

So my question is,  where does Splunk store user information that it references when hitting the authentication endpoint ?  Is there any reason why copying over the User folder and authentication/authorization.conf was not enough?

Thank you!