- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Best way to consolidate System directory configs t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best way to consolidate System directory configs to existing configs at bundle level?
Hi Folks;
Hopefully this isn't a strange question, but I had a question regarding the consolidation of configuration stanzas from a conf file from the bundle level, to settings that may have been adjusted from Splunk Web on the Search Head. For example, we have the authorization.conf file that we have set all of our group permissions like disabling real time search and such.
I noticed that one of our admins may have adjusted some of the settings from Splunk Web, because I did find a authorization.conf file in the system directory of the search head with one of the group roles adjusted. This is completely fine, and there are no conflicts between the files, but I was wondering what the best way to consolidate these would be.
If i remember correctly, the bundle/app level configs overrule the system level configurations, so would there be any harm in manually adding the differences to my bundle config and leaving the system config as-is... or would I need to remove from one and put it into the other?
Hope that wasn't confusing. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The btool command with the debug option might help:
splunk btool authorize list --debug | grep -v system/default
At least you can get a catalog of the settings you're targeting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I considered that as well and think that may be the best solution at this time. I might have to just do periodic btool checks to see what settings are being written at system level from time to time. It would indicate that someone is changing settings through the UI instead of through bundle level.
Sounds like a good idea for a splunk app thought 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
authorization.conf is, in my mind, a global configuration file, similar to serverclass.conf. I would adjust the $SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authentication.conf in the deployer and distribute.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response. So would it be best to leave the one in system on the search heads alone even though it may have some duplicate stanzas? For example, authorize.conf is one that i want to consolidate, and right now i see this:
$SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authorize.conf
[role_mysample_user]
srchIndexesAllowed = infra_apigtwy
srchIndexesDefault = infra_apigtwy
importRoles = user
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10
But looks like someone removed the schedule rtsearch option from the UI because in the system/local/authorize.conf I have
[role_mysample_user]
schedule_rtsearch = disabled
Would I just add the schedule_rtsearch to the first file, and redeploy, or do I need to remove from the second file as well before I redeploy?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
