Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunkd Crash: The user 'splunk-system-user' does not have sufficient search privleges

kfeagans_splunk
Splunk Employee
Splunk Employee
‎07-30-2013 11:11 AM

Hi:

A few days ago, after messing about with users and roles, I had the unfortunate occurrence of splunkd failing after just a minute or so. Looking through the recorded crash.log, I see the following:

libc++abi.dylib: terminating with uncaught exception of type SearchProcessorException: Error in 'DispatchCommand': The user 'splunk-system-user' does not have sufficient search privleges.

After searching high and low, I can't seem to find an answer to this?

Help! 🙂

kf

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kfeagans_splunk
Splunk Employee
Splunk Employee
‎07-30-2013 11:17 AM

Found my own answer, with help from Splunk Ninja!

Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).

View solution in original post

Reply
Solved! Jump to solution
Solution

kfeagans_splunk
Splunk Employee
Splunk Employee
‎07-30-2013 11:17 AM

Found my own answer, with help from Splunk Ninja!

Turns out, there is an authorize.conf file located in $SPLUNK_HOME/etc/system/local that contains anything relevant to your instance of Splunk and user permissions relating to searches. Since this is a generated file from user input (users and roles), simply rename this file, and restart Splunk. Splunk will then create a new "default" authorize.conf file in local for you. If you need to, go ahead and make auth changes (being careful not to crash Splunk again! :).

Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...