System and Nobody had no roles

dcrooks_cbp · ‎11-01-2018

I am trying to get the System access attempts with invalid credentials. Folks with unknown user names. I am using the following search part: index=_internal sourcetype=splunkd user=* component=UserManagerPro

There are a ton of messages with the following:
message="user=\"system\" had no roles" and message="user=\"nobody\" had no roles"

I believe they can just be filtered out and I am using version 7.0.4

DLC

bohanlon_splunk · ‎10-07-2019

I believe you are right as per; https://answers.splunk.com/answers/636862/error-usermanagerpro-usersystem-had-no-roles.html

VatsalJagani · ‎11-02-2018

Hi @dcrooks_cbp,
Please try changing your part of query with this:

index=_internal sourcetype=splunkd UserManagerPro NOT TERM("had no roles")

Hope this helps!!

VatsalJagani · ‎11-01-2018

Hi @dcrooks_cbp,
Can you please provide a sample raw event? As on my dev instance I do not have any event with this criteria.

dcrooks_cbp · ‎11-01-2018

11-01-2018 13:49:01.942 +0000 ERROR UserManagerPro - user="system" had no roles

System and Nobody had no roles

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!