Splunk Enterprise

Indexer Cluster user="" had no roles

NoSpaces
Communicator

Hello to everyone!
Today I noticed strange messages in the daily warn and errors report:

 

10-04-2024 16:55:01.935 +0300 WARN  UserManagerPro [5280 indexerPipe_0] - Unable to get roles for user= because: Could not get info for non-existent user=""
10-04-2024 16:55:01.935 +0300 ERROR UserManagerPro [5280 indexerPipe_0] - user="" had no roles

 

I checked that this couple first appeared 5 days ago, but this fact can't help me because I don't remember what I changed in the exact day.
I also tried to find some helpful "nearby" events that can help me to understand the root case, but didn't observe anything interesting.
Which ways do I have to investigate this case?
Maybe I can "rise" log policy to DEBUG lvl? If I can, what should I change and where?

Little more information:
I have searchhead cluster with LDAP authorization
And also indexer cluster only with local users

Labels (1)
0 Karma

NoSpaces
Communicator

Up

A week ago, I tried to enable DEBUG log to find the root case
But found only the similar events without anything helpful to find the root case

0 Karma

NoSpaces
Communicator

Up

0 Karma

NoSpaces
Communicator

Up

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...