Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What's ops.json in etc/system/replication?

tfechner
Path Finder
‎06-11-2019 12:50 AM

Hi,

we removed some roles and checked on file level where these roles still have a reference.
We found the file splunk/etc/system/replication/ops.json still hase a reference to the deleted roles.

We use SH-Cluster and idx-cluster.

Who has informations about this file?

Torsten

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nnmiller
SplunkTrust
SplunkTrust
‎06-25-2019 12:02 PM 
splunk/etc/system/replication/ops.json

ops.json resides on each of the SHC members. It is a commit history for the changes made to KOs and other configurations on the SH for the time period it covers.

It will contain references to the roles you removed until the ops.json window shifts past the date where the changes were made or applied on the SHC members.

View solution in original post

Reply
Solved! Jump to solution
Solution

nnmiller
SplunkTrust
SplunkTrust
‎06-25-2019 12:02 PM 
splunk/etc/system/replication/ops.json

ops.json resides on each of the SHC members. It is a commit history for the changes made to KOs and other configurations on the SH for the time period it covers.

It will contain references to the roles you removed until the ops.json window shifts past the date where the changes were made or applied on the SHC members.

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎06-11-2019 01:31 AM

Hi,

How you removed the roles from Splunk Search Head Cluster ? If you modified authorize.conf and authentication.conf directly on SHC members then please do rolling restart of all SHC members.

0 Karma
Reply
Solved! Jump to solution

tfechner
Path Finder
‎06-11-2019 02:17 AM

we removed the roles in the SH-cluster via the GUI. but some relicts are still in the config files, esp. local.meta

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎06-11-2019 02:46 AM

When you remove role from Search Head and if that role is used for read and write permission for knowledge objects then splunk will not remove it and knowledge objects permissions are in local.meta , you need to manually remove those.

0 Karma
Reply
Solved! Jump to solution

tfechner
Path Finder
‎06-11-2019 03:36 AM

done. grep and xargs are your friend.
but still the question: what's done with ops.json

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎06-11-2019 03:57 AM

That file contains all files and config for Search Head Cluster state. For example {"dst":["nobody","system","authorize","role_ABC"] , this will indicate that you have role_ABC in $SPLUNK_HOME/etc/system and config in authorize.conf config file.

Please check whether all SHC members are in sync or not. If all SHC members are in sync then check configuration file for those roles which are reflecting in ops.json

0 Karma
Reply
Solved! Jump to solution

tfechner
Path Finder
‎06-11-2019 04:29 AM

all members are in sync. mostly the location "$SPLUNK_HOME/var/run/splunk/lookup_tmp/" is the problem . this path is empty!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...