Solved: After deleting an old user, how to troubleshoot sp...

jravida · ‎04-23-2015

Hi folks,

Someone left my company, who had been experimenting with Splunk, so I went ahead and deleted their account. Now my splunkd.log is filling up with:

ERROR UserManagerPro - Could not get info on non-existent user="oldemployee"

Every 30 seconds it logs this.
I went ahead and tried this solution, and restarted Splunk, but they persist:
http://answers.splunk.com/answers/62380/splunk-searches-from-deleted-users.html

I also combed through saved searches, but I don't see anything that happens that frequently, and nothing is ascribed to the old user.

Is there any place I can look to sort this out?

stephane_cyrill · ‎04-23-2015

HI, here is your solution

answers.splunk.com/answers/70946/how-does-splunk-manage-ldap-or-ad-user-created-objects-if-the-user-is-no-longer-active.html

If you see many errors about missing user in the
splunkd.log, this is because deleted LDAP users
still own objects in splunk, by example a
scheduled search.
and you should clean it
Delete the objects/profile or migrate them to
another user or an app. See answer at the link provided.

View solution in original post

stephane_cyrill · ‎04-23-2015

HI, here is your solution

answers.splunk.com/answers/70946/how-does-splunk-manage-ldap-or-ad-user-created-objects-if-the-user-is-no-longer-active.html

If you see many errors about missing user in the
splunkd.log, this is because deleted LDAP users
still own objects in splunk, by example a
scheduled search.
and you should clean it
Delete the objects/profile or migrate them to
another user or an app. See answer at the link provided.

After deleting an old user, how to troubleshoot splunkd.log "ERROR UserManagerPro - Could not get info on non-existent user="oldemployee""?

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting