Solved: Splunkd Crash: The user 'splunk-system-user' does ...

kfeagans_splunk · ‎07-30-2013

Hi:

A few days ago, after messing about with users and roles, I had the unfortunate occurrence of splunkd failing after just a minute or so. Looking through the recorded crash.log, I see the following:

libc++abi.dylib: terminating with uncaught exception of type SearchProcessorException: Error in 'DispatchCommand': The user 'splunk-system-user' does not have sufficient search privleges.

After searching high and low, I can't seem to find an answer to this?

Help! 🙂

kf

kfeagans_splunk · ‎07-30-2013

Found my own answer, with help from Splunk Ninja!

Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).

View solution in original post

kfeagans_splunk · ‎07-30-2013

Found my own answer, with help from Splunk Ninja!

Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).

Splunkd Crash: The user 'splunk-system-user' does not have sufficient search privleges

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases