We have a clustered setup with server types including an indexer cluster, a search head cluster, and a separate cluster master.
We've implemented SSO with an auth script, but still receive messages from our indexers in splunkd.log to the effect of: ERROR AuthenticationManagerScripted - Script function getUserInfo failed for user: nobody. How can I get rid of this? Is this an indication of failed functionality when searches are executed by the (internal) nobody user?
We also see these for bot users, which are local Splunk accounts in the search head cluster. Do I need to ensure these users exist on the indexer cluster as well?
The script works fine, but fails for the user "nobody", since that is not a SSO user. It's a special Splunk user / the lack of a user. The docs state that the search heads send the authorization information to the peers at search time, so I'm not expecting this script to be run on search peers at all.