The authorization settings that a search peer uses when processing distributed searches are different from those that it uses for its local activities, such as administration and local search requests:
- When processing a distributed search, the search peer uses the settings contained in the knowledge bundle that the search head distributes to all the search peers when it sends them a search request. These settings are created and managed on the search head.
- When performing local activities, the search peer uses the authorization settings created and stored locally on the search peer itself.
When managing distributed searches, it is therefore important that you distinguish between these two types of authorization.
For background information, read "About role-based user access" in the Securing Splunk Enterprise manual
All authorization settings are stored in one or more
authorize.conf files. This includes settings configured through Splunk Web or the CLI. It is these
authorize.conf files that get distributed from the search head to the search peers. On the knowledge bundle, the files are usually located in either
Since search peers automatically use the settings in the knowledge bundle, things normally work fine. You configure roles for your users on the search head, and the search head automatically distributes those configurations to the search peers when it distributes the search itself.
Handle Raft issues
How users can control distributed searches
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2