Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Why do I get this error in splunkd.log? "Searc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do I get this error in splunkd.log? "SearchScheduler - Error in 'DispatchManager': The user 'splunk-system-user' does not have sufficient search privleges"
torustad
Path Finder
03-05-2015
07:05 AM
Seemingly after I installed the apps "Splunk App for Windows Infrastructure " and "Windows Add-on" the following error messages are flooding splunkd.log:
03-05-2015 15:48:51.448 +0100 ERROR DispatchManager - The user 'splunk-system-user' does not have sufficient search privleges.
03-05-2015 15:48:51.448 +0100 ERROR SearchScheduler - Error in 'DispatchManager': The user 'splunk-system-user' does not have sufficient search privleges.
I do not understand what they mean.
At the same time in the audit.log:
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD589d00151dd198770_at_1425566400_92588', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `dm_license_summary_10m_by_pool` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_49ee7cac9a05cfbf_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5758fe1b10509f00e_at_1425566400_92589', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `sourcetypes_summary_10m` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_463c95b47e289f0f_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5b13a71946e1b9d14_at_1425566400_92590', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `dm_license_summary_10m_by_source` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_6030b06d30f6e6f4_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5825f35f83c8311df_at_1425566400_92591', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `dm_license_summary_10m_by_host` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_26e747c470c62ba8_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5b453f9e7776e363e_at_1425566400_92592', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `sources_summary_10m` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_74744182914e20d1_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5cb7dc0fcb8381ee5_at_1425566400_92593', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `dm_license_summary_10m` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_28e51b5378d59f27_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD53af21b05a677c086_at_1425566400_92594', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `dm_license_summary_10m_by_forwarder` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Mar 05 15:40:00 2015', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_ef0750b59633eb8b_ACCELERATE_"][n/a]
03-05-2015 15:48:51.448 +0100 INFO AuditLogger - Audit:[timestamp=03-05-2015 15:48:51.448, user=splunk-system-user, action=search, info=denied , search_id='scheduler__nobody_c3BsdW5rX2RlcGxveW1lbnRfbW9uaXRvcg__RMD5c2d3abf2a0486f8a_at_1425566400_92595', search=' summarize override=partial timespan= max_summary_size=52428800 max_summary_ratio=0.1 max_disabled_buckets=2 max_time=3600 [ search `indexers_summary_10m` ]', autojoin='1', buckets=0, ttl=60, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Fri Dec 05 00:00:00 2014', apiEndTime='Thu Jan 01 01:00:00 1970', savedsearch_name="_ACCELERATE_B4CAB4FC-62FD-4955-8951-F2777F04C839_splunk_deployment_monitor_nobody_3c6084d7f35794cf_ACCELERATE_"][n/a]
Thanks for any help,
Bård Tørustad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
torustad
Path Finder
03-09-2015
05:30 AM
I found that the following lines had been added to .../Splunk/etc/system/local/authorize.conf:
[role_admin]
importRoles =
srchIndexesDefault = akseptanse;main;msad;perfmon;summary;windows;wineventlog;winevents
srchMaxTime = 8640000
After having removed these lines the messages above do not occur in splunkd.log anymore.
I do not know how those lines came to be added to authorize.conf (I did not do it myself explicitly :-)); maybe when I removed some app, or when I edited the role_admin - role to make the "Splunk app for Microsoft Windows infrastructure" work.
Should this happen at all?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
malmoore
Splunk Employee
03-09-2015
08:53 PM
Does the splunk-system-user user have the winfra-admin role?
You should not need to edit roles manually - simply assign the winfra-admin role to the user that you log in as to run the app, and you should be done with that part.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
torustad
Path Finder
03-06-2015
01:28 AM
Version information:
Splunk Version
6.2.1
Splunk Build
245427
Get Updates on the Splunk Community!
AI for AppInspect
We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...
Operationalizing Entity Risk Score with Enterprise Security 8.3+
Overview
Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...
