Splunk Enterprise Security

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

jravida
Communicator

Hi folks,

I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the Enterprise Security app, 'ess_analyst', although the app has been since uninstalled. The splunkd.log only says:
WARN AuthroizationManager - Unknown role 'ess_analyst'
It says this thousands of times, crowding out the important logs as they just roll over.
The role doesn't exist at all when I check my roles. I'm not sure where else to look, as the error is vague.

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

jravida
Communicator

Good call! The string showed up in authorize.conf, as an inherited role for a new one someone had made. I went back to the GUI, and brought up the new role, didn't see 'ess_analyst'. I added and removed the user role, and saved. Went back to splunkd.log and the WARN has stopped! Check authorize.conf, role is gone! Ghosts of roles past, I guess. I hope I don't get visited by 2 more before Chiristmas, because I have places to go.

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!