Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do capabilities keep reappearing in roles?

a212830
Champion
‎11-16-2016 07:45 PM

Hi,

I noticed that some roles had the "scheduled_rtsearch" capability, and I removed them from both of my search heads, via Splunk Web. I then noticed on some indexers, some processes running with "rt_scheduler" listed, which, I believe, indicates a scheduled real-time search.

I then went back into the role, and the "scheduled_rtsearch" capability was back. I'm quite certain that I had removed it.

We are running 6.4.1, using Search Head Pooling (SHP).

Anyone?

0 Karma
Reply

tweaktubbie
Communicator
‎04-19-2017 05:32 AM

Having similar issues with 6.5.1. Changed the ../etc/system/local/authorize.conf to start with

[default]
schedule_rtsearch =

And that solved the re-appearing capability in my power role. BUT. Since a few months (upgrade related?) power got its rtsearch capability back. Eventhough configured:

[role_power]
rtsearch = disabled
and changed on advice of our local splunk rep the default part from above to
[default]
schedule_rtsearch =
rtsearch =

After restarting splunk power gets its rtsearch back. Not always it seems, weird enough. Wondering how to finally enforce the disabling of rtsearch; don't like to keep reminding to remove it after a restart.

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎04-19-2017 05:50 AM

I'd suggest making sure all the config is managed by a deployment app. Use btool to see what app's configuration has config that is taking precedence.

0 Karma
Reply

tweaktubbie
Communicator
‎04-19-2017 06:18 AM

Btool shows nothing overriding/conflicting. Using out of the box power role inheriting user (and user is checked, all default, no rt/schedulert there).

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎04-20-2017 05:47 AM

Hmm. Would you show btool with the --debug so we can see what you mean?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎11-18-2016 05:31 AM

Sounds like a case for detective [btool] with the --debug flag (https://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Usebtooltotroubleshootconfigurati...)

Something like this should show which file it's coming from, which should then allow you to work backwards to identify where this is being deployed from: ./splunk btool authorize list --debug | grep scheduled_rtsearch - this will bring back results for all roles so make sure you're looking at the one you want it removed from.

Also, some capabilities are inherited from any role inheritance. It should show up in a separate menu item in the GUI and only in the inherited role's capabilities on the config (and btool). Therefore, I assume that is not at play here.

0 Karma
Reply

horsefez
Motivator
‎11-17-2016 12:04 AM

Hi as212830,

I experienced exactly the same thing when I was configuring capabilities.
I then eventually configured the capabilities for the different roles via authorize.conf.
Since then no capability ever had the courage to just walk past me anymore.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...