Splunk Enterprise Security

How to troubleshoot unknown role warnings for 'ess_analyst' in Splunkd.log, even after uninstalling the Splunk App for Enterprise Security?

jravida
Communicator

Hi folks,

I seem to have the remnants of a role, being called up, and failing to exist. The role is related to the Enterprise Security app, 'ess_analyst', although the app has been since uninstalled. The splunkd.log only says:
WARN AuthroizationManager - Unknown role 'ess_analyst'
It says this thousands of times, crowding out the important logs as they just roll over.
The role doesn't exist at all when I check my roles. I'm not sure where else to look, as the error is vague.

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I'd start by grepping through $SPLUNK_HOME/etc for files that contain ess_analyst.

jravida
Communicator

Good call! The string showed up in authorize.conf, as an inherited role for a new one someone had made. I went back to the GUI, and brought up the new role, didn't see 'ess_analyst'. I added and removed the user role, and saved. Went back to splunkd.log and the WARN has stopped! Check authorize.conf, role is gone! Ghosts of roles past, I guess. I hope I don't get visited by 2 more before Chiristmas, because I have places to go.

martaBenedetti
Path Finder

Worked for me, thanks!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...