Splunk® Enterprise

Distributed Search

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Add users to the search head cluster

In a search head cluster, all cluster members should maintain the same set of users, with the same set of roles.

To add users to the search head cluster, you can use any of the available authentication methods: Splunk Enterprise built-in authentication, LDAP, SAML, or scripted authentication. See the chapters on authentication in the Securing Splunk Enterprise manual for details.

The cluster automatically synchronizes user configurations across the set of members, in most cases. It uses configuration replication to do this. See "Configuration updates that the cluster replicates."

Use Splunk Enterprise built-in authentication

For Splunk Enterprise built-in authentication, you can use Splunk Web or the CLI to add users and map roles. Perform the operation on any one of the cluster members. The cluster then automatically distributes the changes to all members by replicating the $SPLUNK_HOME/etc/passwd file.

Authentication restrictions

Search head clustering does have a few restrictions regarding how you configure authentication:

  • The cluster replicates the configuration changes automatically only if you configure authentication through Splunk Web, the Splunk CLI, or REST endpoints. If, instead, you edit a configuration file directly, you must use the deployer to distribute the file to the cluster members.
  • Even when you configure authentication through Splunk Web, the CLI, or REST endpoints, the cluster only replicates the underlying configuration files, plus the $SPLUNK_HOME/etc/passwd file in the case of built-in authentication. If the authentication method that you are employing requires any other associated, non-configuration files, you must use the deployer to distribute them to the cluster members. For example:
  • For SAML, you must use the deployer to push the certificates.
  • For scripted authentication, you must use the deployer to push the script. You must also use the deployer to push authentication.conf, because you can only configure scripted authentication by editing authentication.conf directly.

How to use the deployer to push authentication files

To push arbitrary groups of files, such as SAML certificates, from the deployer, you create an app directory specifically to contain those files.

For details on how to use the deployer to push files, see "Use the deployer to distribute apps and configuration updates."

Last modified on 21 November, 2016
Connect the search heads in clusters to search peers   Use a load balancer with search head clustering

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters