Error in admin permissions by cleaning search head...

patrickvanreck · ‎05-28-2019

Hi all

I got some strange errors by trying to add more member nodes in our Search Head Cluster.
First of all, I could not add more members later on.

After reading the wiki Clean the Splunk instance and perfoming the following well explained steps, i got an error and the Search Head is now dead.

First I cleaned the Search head:

splunk stop
splunk clean all
splunk start

Then, trying again to add the member to the Search Head cluster, I got the following error:

/opt/splunk/bin/splunk init shcluster-config -auth admin:<password> -mgmt_uri  https://shc1.logcentral.media.int:8089 -replication_port 8090 -replication_factor 3 -conf_deploy_fetch_url  https://shcdep1.logcentral.media.int:8089 -secret <secret-pw> -shcluster_label Production_SHC 

You (user=admin) do not have permission to perform this operation (requires capability: edit_search_head_clustering).

Do you have any idea what's wrong?

vinkumar_splunk · ‎05-30-2019

You (user=admin) do not have permission to perform this operation (requires capability: edit_search_head_clustering).

The error denotes that the user does not have the capability to perform the action. You can tweak the authorize.conf or from GUI, Access controls » Roles » *** and provide the access under Capabilities.

By default, an admin will have the privilege.

Error in admin permissions by cleaning search head node

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases