Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

A lot of error messages : user=“nobody” had no roles after upgrade

pmerlin1
Path Finder
‎12-26-2024 02:21 AM

Since I migrated splunk to version 9.2.4, I've been getting a lot of error messages from all Splunk servers :
WARN UserManagerPro [16791 SchedulerThread] - Unable to get roles for user=nobody because: Failed to get LDAP user=“nobody” from any configured servers
ERROR UserManagerPro [16791 SchedulerThread] - user=“nobody” had no roles

I think these are all scheduled searches that are executed without an owner and therefore executed as user nobody.

These messages didn't appear with version 9.1

What's the best way to turn off these messages?
The annoying thing is that some searches come from Splunk apps (console monitoring, splunk archiver, etc.)

Labels (1)
Labels
Reply

MattibergB
Path Finder
‎02-23-2025 11:07 PM

Hi,

 

Did you find a fix besides reassinging all the savedsearches without a owner?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 06:19 AM
Just guessing, but this sounds like issue with your authentication part.
At least earlier splunk has used user nobody as local user which are not existing or at least it haven't any roles. There is at least one old post which explains user nobody https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-qu...
Here is another post which explains how to find those scheduled searches https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-skipped-scheduled-accelerated-report...

Was there any issues with your upgrade? If I understand correctly you have update it from 9.1.x to 9.2.4? In which platform and is this distributed environment? What are behind your LDAP authentication and authorization directory? Do you know if there are or have been defined user nobody?

r. Ismo
0 Karma
Reply

pmerlin1
Path Finder
‎01-06-2025 08:28 AM

The behavior is very strange. To stop getting error messages, I had to reassign savedsearches to an existing admin account. The messages disappeared. It's a workaround.
But I get lots of similar messages when I navigate to the Scheduler Activity: Instance dashboard in the monitoring console:
01-06-2025 17:07:59.749 +0100 ERROR UserManagerPro [24247 TcpChannelThread] - user=“nobody” had no roles

0 Karma
Reply

joao_amorim
Communicator
‎09-15-2025 04:03 AM

Looks like a known issue for version 9.2

After upgrading to 9.2 ERROR UserManagerPro - user="nobody" had no roles message started to appear |...

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...