Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunkd.log error message

fuster_j
Path Finder
‎06-01-2012 02:36 PM

Hi,

I have this error message repeats twice every 5 seconds in splunkd.log: "ERROR AuthenticationManagerLDAP - Could not find user: abc" Where can I track down this misconfiguration?

thanks!

Tags (1)
Reply

morethanyell
Builder
‎08-19-2019 06:26 PM

The solution to mine was to have all scheduled savedsearches to be owned by a service account / savedsearch runner account.

0 Karma
Reply

wrangler2x
Motivator
‎06-29-2018 08:46 AM

Related -- this will find orphaned saved searches/alerts:

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎06-02-2012 12:58 PM

When I have seen this in the past it is because there are entries in the metadata files which are referring to the user. If you search the local.meta files for the username, you should be able to find it. So on a Linux host:

find /opt/splunk/ -name local.meta -exec grep abc {} \; -print

HTH,

Dave

Reply

tmarlette
Motivator
‎01-26-2016 10:39 AM

ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="MyLDAPStrategy"
ERROR UserManagerPro - Failed to get LDAP user="nobody" from any configured servers

on RHEL I used this process successfully to remove the above errors that were spamming my splunkd.log:

  1. disabled 'learned' app (adds KO's with user='nobody' as owner)
  2. stop splunk service

  3. look for zombie'd users:

    find /opt/splunk -name local.meta -exec grep -H 'nobody' {} \;^C

  4. replace zombie'd users with 'admin'

    find /opt/splunk -name local.meta -exec sed -i 's/owner = nobody/owner = admin/g' {} \;

  5. start splunk service

Reply

andrewlorien
Engager
‎06-28-2018 06:46 PM

Thanks for the find+sed, very helpful.
But the error for me is

Could not find user "system"

, and there is an owner = splunk-system-user but no owner = system

.

0 Karma
Reply

wrangler2x
Motivator
‎08-16-2017 10:11 AM

Cool idea on converting nobody to admin!

If you just want a list of what apps have a nobody in local.meta, try this:

find /opt/splunk/ -name local.meta -exec grep nobody {} \; -print | grep / | sed 's/.*\/apps\///; s/\/metadata\/local.meta//'

0 Karma
Reply

neelamsantosh
Path Finder
‎05-03-2016 01:12 AM

Thanks tmarlette ·

0 Karma
Reply

fuster_j
Path Finder
‎06-02-2012 05:30 PM

Very Cool! Thank you! I used:

find /opt/splunk -name local.meta -exec grep "abc" {} \; -print
It found the bad user ID.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-30-2018 09:03 PM

Be sure to click Accept to close the question.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...