Splunk Enterprise

user-prefs.conf in a custom app

brent_weaver
Builder

I am creating a custom app for my company and I have put user-prefs.conf in default. The SHC always complains about this file when push a bundle and a restart is required. Am I not supposed to house this file within an app, does it need to go in etc/system/local?

Any help is much appreciated becauase at this point I cannot do a rolling restart of my SHC.

Tags (1)
0 Karma

brent_weaver
Builder

Yes the roles exist:

[general_default]
default_earliest_time = -1h
default_latest_time = now

[role_predix-ops-user]
default_namespace = GE_Predix_App

[role_predix-sec-user]
default_namespace = GE_Predix_App

[role_predix-admin]
default_namespace = launcher

Is there something wrong with the file? In there an issue with the general_default section? The roles exist in the same app actually:

[role_predix-admin]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = admin
srchIndexesAllowed = *;_*
srchIndexesDefault = *
srchMaxTime = 0

[role_predix-sec-user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *;_*
srchIndexesDefault = *_security
srchMaxTime = 0

[role_predix-ops-user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *_predix_*;_*;last_chance_predix
srchIndexesDefault = *_predix_*
srchMaxTime = 30d
srchJobsQuota = 15
rtSrchJobsQuota = 1

Any insight is much appreaciated!

0 Karma

brent_weaver
Builder

Something very worthy of note is that this only happens in our SHC, not on our stand alone nodes. I cannot even do a rolling restart of the cluster

0 Karma

ddrillic
Ultra Champion

In our case, we use $SPLUNK_HOME/etc/shcluster/apps/user-prefs/local/user-prefs.conf on the deployer to map the splunk roles to the default_namespace - an app.

user-prefs.conf

says -

-- To use one or more of these configurations, copy the configuration block into user-prefs.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.

0 Karma

ryanhast
Explorer

Is the role that your user-prefs.conf not deployed to you SHC? What is the error that SHC is barking about?
I my SHC I package the user-prefs.conf in a separate package to deploy to SHC. Any changes I make them there.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...