Solved: How to troubleshoot unknown role warnings for 'ess...

jravida · ‎12-22-2014

Hi folks,

I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the Enterprise Security app, 'ess_analyst', although the app has been since uninstalled. The splunkd.log only says:
WARN AuthroizationManager - Unknown role 'ess_analyst'
It says this thousands of times, crowding out the important logs as they just roll over.
The role doesn't exist at all when I check my roles. I'm not sure where else to look, as the error is vague.

martin_mueller · ‎12-22-2014

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

martin_mueller · ‎12-22-2014

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

jravida · ‎12-22-2014

Good call! The string showed up in authorize.conf, as an inherited role for a new one someone had made. I went back to the GUI, and brought up the new role, didn't see 'ess_analyst'. I added and removed the user role, and saved. Went back to splunkd.log and the WARN has stopped! Check authorize.conf, role is gone! Ghosts of roles past, I guess. I hope I don't get visited by 2 more before Chiristmas, because I have places to go.

martaBenedetti · ‎05-18-2022

Worked for me, thanks!

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

Splunk Classroom Chronicles: Training Tales and Testimonials

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!