We are getting the following error on one of our Search Heads.
Splunk ver = 4.2.3
This happens when we run the "splunk btool check --debug" command.
Any ideas what we messed up? I think this is a bug.
Possible typo in stanza [roleMap] in /opt/splunk/etc/.... line **: user = SplunkAdmin
It sounds to me like you have defined a custom group called SplunkAdmin with a specific privilege level that "user" is assigned to.
Can you check your authorize.conf and see if stanza along the lines of
[role_SplunkAdmin]
Did this happen after a splunk upgrade? If it did, you may want to open up a case with splunk and get a splunkdiag going.
I do not have a [role_SplunkAdmin] entry in authorize.conf
This didn't happen after an upgrade perse, but this might have been an issue since we upgraded to 4.2.x
Isn't the issue with the [roleMap] syntax?