Hi:
A few days ago, after messing about with users and roles, I had the unfortunate occurrence of splunkd failing after just a minute or so. Looking through the recorded crash.log, I see the following:
libc++abi.dylib: terminating with uncaught exception of type SearchProcessorException: Error in 'DispatchCommand': The user 'splunk-system-user' does not have sufficient search privleges.
After searching high and low, I can't seem to find an answer to this?
Help! 🙂
kf
Found my own answer, with help from Splunk Ninja!
Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).
Found my own answer, with help from Splunk Ninja!
Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).