Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

user-prefs.conf in a custom app

brent_weaver
Builder
‎08-26-2017 08:17 AM

I am creating a custom app for my company and I have put user-prefs.conf in default. The SHC always complains about this file when push a bundle and a restart is required. Am I not supposed to house this file within an app, does it need to go in etc/system/local?

Any help is much appreciated becauase at this point I cannot do a rolling restart of my SHC.

Tags (1)
0 Karma
Reply

brent_weaver
Builder
‎08-27-2017 06:53 AM

Yes the roles exist:

[general_default]
default_earliest_time = -1h
default_latest_time = now

[role_predix-ops-user]
default_namespace = GE_Predix_App

[role_predix-sec-user]
default_namespace = GE_Predix_App

[role_predix-admin]
default_namespace = launcher

Is there something wrong with the file? In there an issue with the general_default section? The roles exist in the same app actually:

[role_predix-admin]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = admin
srchIndexesAllowed = *;_*
srchIndexesDefault = *
srchMaxTime = 0

[role_predix-sec-user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *;_*
srchIndexesDefault = *_security
srchMaxTime = 0

[role_predix-ops-user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *_predix_*;_*;last_chance_predix
srchIndexesDefault = *_predix_*
srchMaxTime = 30d
srchJobsQuota = 15
rtSrchJobsQuota = 1

Any insight is much appreaciated!

0 Karma
Reply

brent_weaver
Builder
‎08-27-2017 07:07 AM

Something very worthy of note is that this only happens in our SHC, not on our stand alone nodes. I cannot even do a rolling restart of the cluster

0 Karma
Reply

ddrillic
Ultra Champion
‎08-26-2017 05:36 PM

In our case, we use $SPLUNK_HOME/etc/shcluster/apps/user-prefs/local/user-prefs.conf on the deployer to map the splunk roles to the default_namespace - an app.

user-prefs.conf

says -

-- To use one or more of these configurations, copy the configuration block into user-prefs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.

0 Karma
Reply

ryanhast
Explorer
‎08-26-2017 08:50 AM

Is the role that your user-prefs.conf not deployed to you SHC? What is the error that SHC is barking about?
I my SHC I package the user-prefs.conf in a separate package to deploy to SHC. Any changes I make them there.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...