Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexer Cluster user="" had no roles

NoSpaces
Contributor
‎10-04-2024 07:54 AM

Hello to everyone!
Today I noticed strange messages in the daily warn and errors report:

 

10-04-2024 16:55:01.935 +0300 WARN  UserManagerPro [5280 indexerPipe_0] - Unable to get roles for user= because: Could not get info for non-existent user=""
10-04-2024 16:55:01.935 +0300 ERROR UserManagerPro [5280 indexerPipe_0] - user="" had no roles

 

I checked that this couple first appeared 5 days ago, but this fact can't help me because I don't remember what I changed in the exact day.
I also tried to find some helpful "nearby" events that can help me to understand the root case, but didn't observe anything interesting.
Which ways do I have to investigate this case?
Maybe I can "rise" log policy to DEBUG lvl? If I can, what should I change and where?

Little more information:
I have searchhead cluster with LDAP authorization
And also indexer cluster only with local users

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-18-2024 10:22 AM
Have you check this https://community.splunk.com/t5/Security/ERROR-UserManagerPro-user-quot-system-quot-had-no-roles/m-p... ?
0 Karma
Reply

NoSpaces
Contributor
‎12-19-2024 07:12 AM

@isoutamo, Thank you for your attention to my problem.
I saw this post, and I also saw the resolution—create the user 'system'.
But my case is a little bit different because errors have no information about the user that is absent.
Only quotes without anything.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-19-2024 10:12 AM
Only thing what comes my mind is that you should try to find some matches from other logs including sh side, which process or query has initiated this query on indexer side and found more information over there.
Another option is create a support case to splunk.
0 Karma
Reply

NoSpaces
Contributor
‎12-18-2024 12:26 AM

UP

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2024 12:47 AM

Please stop UP-ing the thread. You haven't found a similar issue in old threads, noone seems to be able to help you here right now. It's time to engage support. Posting "UP" once a week only clutters the forum.

Thanks for understanding.

0 Karma
Reply

NoSpaces
Contributor
‎12-18-2024 01:00 AM

Sorry for had being annoying, I'm stopping this behavior.

0 Karma
Reply

NoSpaces
Contributor
‎11-28-2024 02:12 AM

Up

A week ago, I tried to enable DEBUG log to find the root case
But found only the similar events without anything helpful to find the root case

0 Karma
Reply

NoSpaces
Contributor
‎10-08-2024 02:37 AM

Up

0 Karma
Reply

NoSpaces
Contributor
‎10-17-2024 12:47 AM

Up

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...