MSA - Insufficient privileges to collect resource usage metrics?

New Member


We decided to run Splunk (Windows) with a MSA (Managed Service Account) with the Minimum permissions requirements from this documentation :

This is the privileges we gave to this account :

Required basic permissions for the splunkd or splunkforwarder services

Full control over the Splunk Enterprise installation directory.
Read access to any files that you want to index.

Required Local/Domain Security Policy user rights assignments for the splunkd or splunkforwarder services

Permission to log on as a service.
Permission to log on as a batch job.
Permission to replace a process-level token.
Permission to act as part of the operating system.
Permission to bypass traverse checking.

So far, it works well. Also, we gave the MSA the "Modify" rights on the whole Splunk folder. Only, there is one problem :
Since we run it as MSA, we get this error :

ERROR IntrospectionGenerator:resource_usage -  RU - Splunk was started with insufficient privileges to collect resource usage metrics. Please modify the service properties to run with Administrator privileges. Exiting.

I've search everywhere, and no one seems to have this error on the web. Is there some documentation explaining the context of this error? Is there some privileges not shown from the Splunk documentation that are missing?

Also, I've noted that the "/var/log/introspection/resource_usage.log" file stopped being fulfill as soon as we activated the MSA.

Thanks in advance

Labels (1)
Tags (1)
0 Karma

Path Finder

Did you ever resolve this issue?
I am seeing the same.


0 Karma


My understanding is that you are still having permission issues. Stop splunk service, re-apply the permissions to entire recursively under splunk installation.
you can use icacls windows command to deploy these permissions. this is what I usually used when I had permission issues on the Splunk windows installation

I believe the command is similar the one below:
icacls C:\splunk_path /grant "yourmsausers" /t

0 Karma


I forgot to mention to start splunk service after you deploy the permissions. it is important you ran the steps above with the splunk service stopped to guarantee that all the permissions will be redeployed properly.

0 Karma

New Member

This exact procedure was done previously.

  1. Stopped Splunk
  2. Changed the owner of Splunk folders to mine so I can change the permission without any problem.
  3. Apply the permissions (No problem was found)
  4. Re-assign owner of Splunk folders to local system.
  5. Started Splunk.

Problem not resolved.

0 Karma


The issues I had and fixed with Icacls was related with system local account on windows servers. Which is the user you are re-applying those permissions? I believe you have to run this command as administrator.

I found this other command from this link ->

icacls "c:\somelocation\of\path" /q /c /t /grant Users:F

F gives Full Access.

/q /c /t applies the permissions to subfolders.

In some cases, I have to move splunk to other folder, re-apply the permissions, moved again to original folder, and re-deploy the permissions again.
I am not really sure why this happen, but it seems something is prevent or holding the folder to received the correct permission. Make sure the user you are running the command has the proper access to change the permission, as stated on the document, you have to run the permissions as administrator.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...