Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

A lot of error messages : user=“nobody” had no roles after upgrade

pmerlin1
Path Finder
‎12-26-2024 02:21 AM

Since I migrated splunk to version 9.2.4, I've been getting a lot of error messages from all Splunk servers :
WARN UserManagerPro [16791 SchedulerThread] - Unable to get roles for user=nobody because: Failed to get LDAP user=“nobody” from any configured servers
ERROR UserManagerPro [16791 SchedulerThread] - user=“nobody” had no roles

I think these are all scheduled searches that are executed without an owner and therefore executed as user nobody.

These messages didn't appear with version 9.1

What's the best way to turn off these messages?
The annoying thing is that some searches come from Splunk apps (console monitoring, splunk archiver, etc.)

Labels (1)
Labels
0 Karma
Reply

MattibergB
Path Finder
2 weeks ago

Hi,

 

Did you find a fix besides reassinging all the savedsearches without a owner?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 06:19 AM
Just guessing, but this sounds like issue with your authentication part.
At least earlier splunk has used user nobody as local user which are not existing or at least it haven't any roles. There is at least one old post which explains user nobody https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-qu...
Here is another post which explains how to find those scheduled searches https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-skipped-scheduled-accelerated-report...

Was there any issues with your upgrade? If I understand correctly you have update it from 9.1.x to 9.2.4? In which platform and is this distributed environment? What are behind your LDAP authentication and authorization directory? Do you know if there are or have been defined user nobody?

r. Ismo
0 Karma
Reply

pmerlin1
Path Finder
‎01-06-2025 08:28 AM

The behavior is very strange. To stop getting error messages, I had to reassign savedsearches to an existing admin account. The messages disappeared. It's a workaround.
But I get lots of similar messages when I navigate to the Scheduler Activity: Instance dashboard in the monitoring console:
01-06-2025 17:07:59.749 +0100 ERROR UserManagerPro [24247 TcpChannelThread] - user=“nobody” had no roles

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top