Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

A lot of error messages : user=“nobody” had no roles after upgrade

pmerlin1
Path Finder
‎12-26-2024 02:21 AM

Since I migrated splunk to version 9.2.4, I've been getting a lot of error messages from all Splunk servers :
WARN UserManagerPro [16791 SchedulerThread] - Unable to get roles for user=nobody because: Failed to get LDAP user=“nobody” from any configured servers
ERROR UserManagerPro [16791 SchedulerThread] - user=“nobody” had no roles

I think these are all scheduled searches that are executed without an owner and therefore executed as user nobody.

These messages didn't appear with version 9.1

What's the best way to turn off these messages?
The annoying thing is that some searches come from Splunk apps (console monitoring, splunk archiver, etc.)

Labels (1)
Labels
Reply

MattibergB
Path Finder
‎02-23-2025 11:07 PM

Hi,

 

Did you find a fix besides reassinging all the savedsearches without a owner?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-30-2024 06:19 AM
Just guessing, but this sounds like issue with your authentication part.
At least earlier splunk has used user nobody as local user which are not existing or at least it haven't any roles. There is at least one old post which explains user nobody https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-qu...
Here is another post which explains how to find those scheduled searches https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-skipped-scheduled-accelerated-report...

Was there any issues with your upgrade? If I understand correctly you have update it from 9.1.x to 9.2.4? In which platform and is this distributed environment? What are behind your LDAP authentication and authorization directory? Do you know if there are or have been defined user nobody?

r. Ismo
0 Karma
Reply

pmerlin1
Path Finder
‎01-06-2025 08:28 AM

The behavior is very strange. To stop getting error messages, I had to reassign savedsearches to an existing admin account. The messages disappeared. It's a workaround.
But I get lots of similar messages when I navigate to the Scheduler Activity: Instance dashboard in the monitoring console:
01-06-2025 17:07:59.749 +0100 ERROR UserManagerPro [24247 TcpChannelThread] - user=“nobody” had no roles

0 Karma
Reply

joao_amorim
Communicator
‎09-15-2025 04:03 AM

Looks like a known issue for version 9.2

After upgrading to 9.2 ERROR UserManagerPro - user="nobody" had no roles message started to appear |...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...