{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Splunk deployment with indexer, search head clustering and cluster master. QS(5030)", "Parameters": { "WebClientLocation": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to connect to the Splunk web interface. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", "MaxLength": "19", "MinLength": "9", "Type": "String" }, "HECClientLocation": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to send data to Splunk HTTP Event Collector. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", "MaxLength": "19", "MinLength": "9", "Type": "String" }, "IndexerInstanceType": { "AllowedValues": [ "c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", "c5.18xlarge", "i3.2xlarge", "i3.4xlarge", "i3.8xlarge" ], "Description": "EC2 instance type for Splunk Indexers", "ConstraintDescription": "must be a valid EC2 instance type.", "Default": "c5.4xlarge", "Type": "String" }, "SearchHeadInstanceType": { "AllowedValues": [ "c4.2xlarge", "c4.4xlarge", "c4.8xlarge", "r4.4xlarge", "r4.8xlarge", "r4.16xlarge", "c5.2xlarge", "c5.4xlarge", "c5.9xlarge", "m5.2xlarge", "m5.4xlarge", "m5.12xlarge" ], "Description": "EC2 instance type for Splunk Search Heads", "ConstraintDescription": "must be a valid EC2 instance type.", "Default": "c5.4xlarge", "Type": "String" }, "IndexerApps": { "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on indexer(s)", "Default": "", "Type": "CommaDelimitedList" }, "SearchHeadApps": { "Description": "Comma separated list of URLs of Splunk App (or Add-on) tarballs (.spl) to pre-install on search head(s)", "Default": "", "Type": "CommaDelimitedList" }, "KeyName": { "ConstraintDescription": "Must be the name of an existing EC2 KeyPair.", "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance", "Type": "AWS::EC2::KeyPair::KeyName" }, "NumberOfAZs": { "AllowedValues": [ "2", "3" ], "Default": "2", "Description": "Number of Availability Zones to use in the VPC. This must match the number public subnet IDs entered as parameters", "Type": "String" }, "PublicSubnet1ID": { "Description": "ID of Splunk public subnet 1 in Availability Zone 1 (e.g., subnet-xxxxxxxx)", "Type": "AWS::EC2::Subnet::Id" }, "PublicSubnet2ID": { "Description": "ID of Splunk public subnet 2 in Availability Zone 2 (e.g., subnet-xxxxxxxx)", "Type": "AWS::EC2::Subnet::Id" }, "PublicSubnet3ID": { "Description": "ID of Splunk public subnet 3 in Availability Zone 3 (e.g., subnet-xxxxxxxx)", "Type": "AWS::EC2::Subnet::Id", "Default": "" }, "QSS3BucketName": { "Default": "splk-quickstart-testing", "Description": "S3 bucket name for the Quick Start assets.", "Type": "String" }, "QSS3KeyPrefix": { "Default": "quickstart-splunk-enterprise/", "Description": "S3 key prefix for the Quick Start assets.", "Type": "String" }, "SHCEnabled": { "AllowedValues": [ "yes", "no" ], "Default": "no", "Description": "Do you want to build a Splunk search head cluster?", "Type": "String" }, "SSHClientLocation": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "Must be a valid IP range in x.x.x.x/x notation. Use 0.0.0.0/0 for no restrictions.", "Description": "The IP address range that is allowed to SSH to the EC2 instances. Note: a value of 0.0.0.0/0 will allow access from ANY ip address", "MaxLength": "19", "MinLength": "9", "Type": "String" }, "SplunkAdminPassword": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", "Description": "Admin password for Splunk. Must be at least 6 characters containing letters, numbers and symbols.", "MaxLength": "32", "MinLength": "6", "NoEcho": "true", "Type": "String" }, "SplunkIndexerCount": { "ConstraintDescription": "must be a valid number, 3-10", "Default": "3", "Description": "How many Splunk indexers to launch. [3-10]", "MaxValue": "10", "MinValue": "3", "Type": "Number" }, "SplunkIndexerDiskSize": { "ConstraintDescription": "must be a valid number, 320-16000", "Default": "320", "Description": "The size of the attached EBS volume to the Splunk indexers. (in GB)", "MaxValue": "16000", "MinValue": "320", "Type": "Number" }, "SplunkSearchHeadDiskSize": { "ConstraintDescription": "must be a valid number, 320-16000", "Default": "320", "Description": "The size of the attached EBS volume to the Splunk search head(s). (in GB)", "MaxValue": "16000", "MinValue": "320", "Type": "Number" }, "SplunkLicenseBucket": { "Default": "", "Description": "Name of private S3 bucket with licenses to be accessed via authenticated requests", "Type": "String" }, "SplunkLicensePath": { "Default": "", "Description": "Path to license file in S3 Bucket (without leading '/')", "Type": "String" }, "SplunkReplicationFactor": { "ConstraintDescription": "must be a valid number, 2-4", "Default": "2", "Description": "How many copies of data should be stored in the Splunk Indexer Cluster", "MaxValue": "4", "MinValue": "2", "Type": "Number" }, "SplunkSearchFactor": { "ConstraintDescription": "must be a valid number, 2-4", "Default": "2", "Description": "How many copies of data should be searchable in the Splunk indexer clusters", "MaxValue": "4", "MinValue": "2", "Type": "Number" }, "SplunkClusterSecret": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", "Description": "Shared cluster secret for Search Head and Indexer cluster nodes. Must be at least 8 characters containing letters, numbers and symbols.", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "SplunkIndexerDiscoverySecret": { "AllowedPattern": "(?=^.{6,255}$)((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))^.*", "ConstraintDescription": "Must be at least 8 characters containing letters, numbers and symbols.", "Description": "Security key used for communication between your forwarders and the cluster master. This value should also be used by forwarders in order to retrieve list of available peer nodes from cluster master. Must be at least 8 characters containing letters, numbers and symbols.", "MaxLength": "32", "MinLength": "8", "NoEcho": "true", "Type": "String" }, "VPCCIDR": { "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$", "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x.", "Description": "VPC CIDR Block (x.x.x.x/x notation)", "Type": "String" }, "VPCID": { "Description": "VPC ID", "Type": "AWS::EC2::VPC::Id" } }, "Metadata": { "AWSAMIRegionMap":{ "Filters":{ "SPLUNKENTHVM":{ "name":"splunk_marketplace_AMI_*", "owner-alias":"aws-marketplace", "product-code.type":"marketplace" } } }, "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "AWS Instance and Network Settings" }, "Parameters": [ "IndexerInstanceType", "SearchHeadInstanceType", "KeyName", "WebClientLocation", "HECClientLocation", "SSHClientLocation", "VPCID", "VPCCIDR", "PublicSubnet1ID", "PublicSubnet2ID", "PublicSubnet3ID", "NumberOfAZs" ] }, { "Label": { "default": "Splunk Settings" }, "Parameters": [ "SplunkAdminPassword", "SplunkClusterSecret", "SplunkIndexerDiscoverySecret", "SplunkLicenseBucket", "SplunkLicensePath", "SplunkIndexerCount", "SplunkIndexerDiskSize", "SplunkSearchHeadDiskSize", "SplunkReplicationFactor", "SplunkSearchFactor", "SHCEnabled", "IndexerApps", "SearchHeadApps" ] } ], "ParameterLabels": { "QSS3BucketName": { "default": "QuickStart S3 Bucket Name" }, "QSS3KeyPrefix": { "default": "QuickStart S3 Key Prefix" }, "WebClientLocation": { "default": "Permitted CIDR for Splunk web interface" }, "HECClientLocation": { "default": "Permitted CIDR for Splunk HTTP event collector input" }, "IndexerInstanceType": { "default": "EC2 instance type for Splunk indexer" }, "SearchHeadInstanceType": { "default": "EC2 instance type for Splunk search head" }, "KeyName": { "default": "Key Name" }, "PublicSubnet1ID": { "default": "Public Subnet 1 ID" }, "PublicSubnet2ID": { "default": "Public Subnet 2 ID" }, "PublicSubnet3ID": { "default": "Public Subnet 3 ID" }, "NumberOfAZs": { "default": "Number of Availability Zones" }, "SHCEnabled": { "default": "Enable Search Head Cluster?" }, "SSHClientLocation": { "default": "Permitted CIDR for ssh" }, "SplunkAdminPassword": { "default": "Splunk Admin Password" }, "SplunkIndexerCount": { "default": "No. of Splunk Indexers" }, "SplunkIndexerDiskSize": { "default": "Indexer Disk Size" }, "SplunkSearchHeadDiskSize": { "default": "Search Head(s) Disk Size" }, "SplunkLicenseBucket": { "default": "Splunk License Bucket" }, "SplunkLicensePath": { "default": "Splunk License S3 Bucket Path" }, "SplunkReplicationFactor": { "default": "Index Cluster Replication Factor" }, "SplunkSearchFactor": { "default": "Index Cluster Search Factor" }, "SplunkClusterSecret": { "default": "Shared Security Key for Cluster Nodes" }, "SplunkIndexerDiscoverySecret": { "default": "Shared Security Key for Forwarders using Indexer Discovery" }, "IndexerApps": { "default": "Apps/Add-ons to pre-Install on Splunk Indexers" }, "SearchHeadApps": { "default": "Apps/Add-ons to pre-Install on Splunk Search Heads" }, "VPCCIDR": { "default": "VPC CIDR" }, "VPCID": { "default": "VPC ID" } } } }, "Conditions": { "Create3AZ": { "Fn::Equals": [ { "Ref": "NumberOfAZs" }, "3" ] }, "CreateSingleSearchHead": { "Fn::Equals": [ { "Ref": "SHCEnabled" }, "no" ] }, "CreateSHC": { "Fn::Equals": [ { "Ref": "SHCEnabled" }, "yes" ] }, "InstallIndexerApps": { "Fn::Not": [ { "Fn::Equals": [ { "Fn::Join": [ "", { "Ref": "IndexerApps" } ] }, "" ] } ] }, "InstallSearchHeadApps": { "Fn::Not": [ { "Fn::Equals": [ { "Fn::Join": [ "", { "Ref": "SearchHeadApps" } ] }, "" ] } ] }, "ConfigureLicense": { "Fn::And": [ { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "SplunkLicenseBucket" } ] } ] }, { "Fn::Not": [ { "Fn::Equals": [ "", { "Ref": "SplunkLicensePath" } ] } ] } ] } }, "Mappings": { "AWSAMIRegionMap": { "AMI": { "SPLUNKENTHVM": "splunk_marketplace_AMI_2018-10-16_22_07_36-7b65de6c-5006-4ca2-bd75-fdba95ae5d9d-ami-0d494b5a999e1c49f.4" }, "ap-northeast-1": { "SPLUNKENTHVM": "ami-0db36f11d65f551fb" }, "ap-northeast-2": { "SPLUNKENTHVM": "ami-09c7965888207979b" }, "ap-south-1": { "SPLUNKENTHVM": "ami-07c20db6edfd45f98" }, "ap-southeast-1": { "SPLUNKENTHVM": "ami-0e7b7ca1bdcdd93a6" }, "ap-southeast-2": { "SPLUNKENTHVM": "ami-0c8a4d5bdf83f0df8" }, "ca-central-1": { "SPLUNKENTHVM": "ami-02f085f4514fa7145" }, "eu-central-1": { "SPLUNKENTHVM": "ami-09ce965c3b1a9a1cb" }, "eu-west-1": { "SPLUNKENTHVM": "ami-0fafe9e81915f154e" }, "eu-west-2": { "SPLUNKENTHVM": "ami-060d9e50d310e0ebb" }, "sa-east-1": { "SPLUNKENTHVM": "ami-0dacd4005280936e5" }, "us-east-1": { "SPLUNKENTHVM": "ami-0484972f36720ea7f" }, "us-east-2": { "SPLUNKENTHVM": "ami-04b6874c649721f0a" }, "us-west-1": { "SPLUNKENTHVM": "ami-0377011a3f771e353" }, "us-west-2": { "SPLUNKENTHVM": "ami-0c3e33232b6c07537" } }, "SplunkConfig": { "dedicated-instance-type": { "clusterMaster": "c5.xlarge", "shclusterDeployer": "c5.xlarge" }, "shcluster-replication-factor": { "num": "3" }, "labels": { "cluster": "IndexerCluster", "shcluster": "SearchHeadCluster" } } }, "Resources": { "SplunkSearchHeadSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPCID" }, "GroupDescription": "Enable port 8000 for Splunk web interface, port 8090 for SHC replication, and port 8191 for KV store replication", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 8000, "ToPort": 8000, "CidrIp": { "Ref": "WebClientLocation" } }, { "IpProtocol": "tcp", "FromPort": 8090, "ToPort": 8090, "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": 8191, "ToPort": 8191, "CidrIp": { "Ref": "VPCCIDR" } } ], "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } }, { "Key": "Name", "Value": "SplunkSearchHeadSecurityGroup" } ] } }, "SplunkIndexerSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPCID" }, "GroupDescription": "Enable port 9997 for splunktcp input, port 8088 for HEC input, port 514 for tcp/udp input, and port 9887 for data replication", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 9997, "ToPort": 9997, "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": 8088, "ToPort": 8088, "SourceSecurityGroupId": { "Ref": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" } }, { "IpProtocol": "tcp", "FromPort": 514, "ToPort": 514, "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "udp", "FromPort": 514, "ToPort": 514, "CidrIp": { "Ref": "VPCCIDR" } }, { "IpProtocol": "tcp", "FromPort": 9887, "ToPort": 9887, "CidrIp": { "Ref": "VPCCIDR" } } ], "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } }, { "Key": "Name", "Value": "SplunkIndexerSecurityGroup" } ] } }, "SplunkSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPCID" }, "GroupDescription": "Enable administrative ports like restricted SSH and management port", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": { "Ref": "SSHClientLocation" } }, { "IpProtocol": "tcp", "FromPort": 8089, "ToPort": 8089, "CidrIp": { "Ref": "VPCCIDR" } } ], "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } }, { "Key": "Name", "Value": "SplunkSecurityGroup" } ] } }, "SplunkHttpEventCollectorLoadBalancerSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VPCID" }, "GroupDescription": "Enable port 8088 on ELB for HEC input", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 8088, "ToPort": 8088, "CidrIp": { "Ref": "HECClientLocation" } } ], "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } }, { "Key": "Name", "Value": "SplunkHttpEventCollectorLoadBalancerSecurityGroup" } ] } }, "SplunkSearchHeadInstance": { "Type": "AWS::EC2::Instance", "Condition": "CreateSingleSearchHead", "CreationPolicy": { "ResourceSignal": { "Timeout": "PT60M" } }, "Properties": { "ImageId": { "Fn::FindInMap": [ "AWSAMIRegionMap", { "Ref": "AWS::Region" }, "SPLUNKENTHVM" ] }, "InstanceType": { "Ref": "SearchHeadInstanceType" }, "KeyName": { "Ref": "KeyName" }, "Tags": [ { "Key": "Application", "Value": { "Ref": "AWS::StackId" } }, { "Key": "Role", "Value": "splunk-search-head" }, { "Key": "Name", "Value": "search-head" } ], "NetworkInterfaces": [ { "GroupSet": [ { "Ref": "SplunkSecurityGroup" }, { "Ref": "SplunkSearchHeadSecurityGroup" } ], "AssociatePublicIpAddress": true, "DeviceIndex": "0", "DeleteOnTermination": true, "SubnetId": { "Ref": "PublicSubnet1ID" } } ], "BlockDeviceMappings": [ { "DeviceName": "/dev/xvda", "Ebs": { "VolumeType": "gp2", "VolumeSize": { "Ref": "SplunkSearchHeadDiskSize" } } } ], "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash -v\n", "# First make cloud-init output log readable by root only to protect sensitive parameter values\n", "chmod 600 /var/log/cloud-init-output.log\n", "yum update -y aws-cfn-bootstrap\n", "export LOCALIP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)\n", "export INSTANCEID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)\n", "export SPLUNK_USER=splunk\n", "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", "export SPLUNK_HOME=/opt/splunk\n", "printf '%s\t%s\n' \"$LOCALIP\" 'splunksearch' >> /etc/hosts\n", "hostname splunksearch\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf </dev/null)\n", "export SPLUNK_USER=splunk\n", "export SPLUNK_BIN=/opt/splunk/bin/splunk\n", "export SPLUNK_HOME=/opt/splunk\n", "# remove stale splunkd.log that ships with AMI.\n", "rm -f $SPLUNK_HOME/var/log/splunk/splunkd.log\n", "printf '%s\t%s\n' \"$LOCALIP\" 'splunklicense' >> /etc/hosts\n", "hostname splunklicense\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/system/local/server.conf < /tmp/token\n", "TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token` && rm /tmp/token\n", "echo $TOKEN\n", "mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", "mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local\n", "# Peer config 2: Enable splunktcp input\n", "cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <> /etc/hosts\n", "hostname splunk-shc-deployer\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <> /etc/hosts\n", "hostname splunksearch\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", "hostname splunksearch\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <> /etc/hosts\n", "hostname splunksearch\n", "mv $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/passwd.bak\n", "cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <$SPLUNK_HOME/etc/system/local/web.conf <>$SPLUNK_HOME/etc/system/local/server.conf <>$SPLUNK_HOME/etc/system/local/user-seed.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <