topic Re: After upgrade to 9.1.2 all users try to execute &quot;admin_all_objects&quot; in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683836#M19103 <P>I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/186025">@SierraX</a>&nbsp;confirming, upgrading to 9.1.3 resolved the issue.&nbsp; I have requested if Splunk would be able to divulge what the bug was.&nbsp; &nbsp;Waiting for response.<BR /><BR />Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/186025">@SierraX</a>&nbsp;for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)</P> Wed, 10 Apr 2024 15:25:10 GMT cmeisch 2024-04-10T15:25:10Z After upgrade to 9.1.2 all users try to execute "admin_all_objects" https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/673195#M18242 <P>Hi,</P><P>Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:<BR /><BR /></P><LI-CODE lang="markup">01-04-2024 08:53:44.220 +0000 INFO AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]</LI-CODE><P>This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.<BR /><BR />Have you ever have these problem in your enviroment?</P> Thu, 04 Jan 2024 09:48:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/673195#M18242 aguilard 2024-01-04T09:48:38Z Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects" https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683644#M19091 <P>In looking for an audit event we saw this behavior too... anyone else?&nbsp;&nbsp;<BR /><BR />Did you get a response outside of your query?</P> Mon, 08 Apr 2024 19:47:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683644#M19091 cmeisch 2024-04-08T19:47:09Z Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects" https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683705#M19096 <P>I just checked our Searchheads for this issue:<BR />We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.<BR /><BR />Kind Regards</P> Tue, 09 Apr 2024 15:10:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683705#M19096 SierraX 2024-04-09T15:10:50Z Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects" https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683836#M19103 <P>I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/186025">@SierraX</a>&nbsp;confirming, upgrading to 9.1.3 resolved the issue.&nbsp; I have requested if Splunk would be able to divulge what the bug was.&nbsp; &nbsp;Waiting for response.<BR /><BR />Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/186025">@SierraX</a>&nbsp;for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)</P> Wed, 10 Apr 2024 15:25:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/683836#M19103 cmeisch 2024-04-10T15:25:10Z Re: After upgrade to 9.1.2 all users try to execute "admin_all_objects" https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/691623#M19695 <P>This is more of annoying log message issue. The log messages are intended to be suppressed and can be ignored unless it affects any Splunk performances in indexing or searching.&nbsp; Fix versions, 9.1.3+, 9.2.0+</P> Wed, 26 Jun 2024 02:37:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/After-upgrade-to-9-1-2-all-users-try-to-execute-quot-admin-all/m-p/691623#M19695 sylim_splunk 2024-06-26T02:37:02Z