Getting Data In

Best way to consolidate System directory configs to existing configs at bundle level?

paimonsoror
Builder

Hi Folks;

Hopefully this isn't a strange question, but I had a question regarding the consolidation of configuration stanzas from a conf file from the bundle level, to settings that may have been adjusted from Splunk Web on the Search Head. For example, we have the authorization.conf file that we have set all of our group permissions like disabling real time search and such.

I noticed that one of our admins may have adjusted some of the settings from Splunk Web, because I did find a authorization.conf file in the system directory of the search head with one of the group roles adjusted. This is completely fine, and there are no conflicts between the files, but I was wondering what the best way to consolidate these would be.

If i remember correctly, the bundle/app level configs overrule the system level configurations, so would there be any harm in manually adding the differences to my bundle config and leaving the system config as-is... or would I need to remove from one and put it into the other?

Hope that wasn't confusing. Thanks!

0 Karma

twinspop
Influencer

The btool command with the debug option might help:

splunk btool authorize list --debug | grep -v system/default

At least you can get a catalog of the settings you're targeting.

paimonsoror
Builder

I considered that as well and think that may be the best solution at this time. I might have to just do periodic btool checks to see what settings are being written at system level from time to time. It would indicate that someone is changing settings through the UI instead of through bundle level.

Sounds like a good idea for a splunk app thought 😄

0 Karma

ddrillic
Ultra Champion

authorization.conf is, in my mind, a global configuration file, similar to serverclass.conf. I would adjust the $SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authentication.conf in the deployer and distribute.

0 Karma

paimonsoror
Builder

Thanks for the quick response. So would it be best to leave the one in system on the search heads alone even though it may have some duplicate stanzas? For example, authorize.conf is one that i want to consolidate, and right now i see this:

$SPLUNK_HOME/etc/shcluster/apps/key_all_authentication/local/authorize.conf

[role_mysample_user]
srchIndexesAllowed = infra_apigtwy
srchIndexesDefault = infra_apigtwy
importRoles = user
srchJobsQuota = 5
cumulativeSrchJobsQuota = 10

But looks like someone removed the schedule rtsearch option from the UI because in the system/local/authorize.conf I have

[role_mysample_user]
schedule_rtsearch = disabled

Would I just add the schedule_rtsearch to the first file, and redeploy, or do I need to remove from the second file as well before I redeploy?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...