Splunk Enterprise Security

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

Communicator

Hi folks,

I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the Enterprise Security app, 'ess_analyst', although the app has been since uninstalled. The splunkd.log only says:
WARN AuthroizationManager - Unknown role 'ess_analyst'
It says this thousands of times, crowding out the important logs as they just roll over.
The role doesn't exist at all when I check my roles. I'm not sure where else to look, as the error is vague.

1 Solution

SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

Communicator

Good call! The string showed up in authorize.conf, as an inherited role for a new one someone had made. I went back to the GUI, and brought up the new role, didn't see 'ess_analyst'. I added and removed the user role, and saved. Went back to splunkd.log and the WARN has stopped! Check authorize.conf, role is gone! Ghosts of roles past, I guess. I hope I don't get visited by 2 more before Chiristmas, because I have places to go.