Re: System and Nobody had no roles

dcrooks_cbp · ‎11-01-2018

I am trying to get the System access attempts with invalid credentials. Folks with unknown user names. I am using the following search part: index=_internal sourcetype=splunkd user=* component=UserManagerPro

There are a ton of messages with the following:
message="user=\"system\" had no roles" and message="user=\"nobody\" had no roles"

I believe they can just be filtered out and I am using version 7.0.4

DLC

bohanlon_splunk · ‎10-07-2019

I believe you are right as per; https://answers.splunk.com/answers/636862/error-usermanagerpro-usersystem-had-no-roles.html

VatsalJagani · ‎11-02-2018

Hi @dcrooks_cbp,
Please try changing your part of query with this:

index=_internal sourcetype=splunkd UserManagerPro NOT TERM("had no roles")

Hope this helps!!

VatsalJagani · ‎11-01-2018

Hi @dcrooks_cbp,
Can you please provide a sample raw event? As on my dev instance I do not have any event with this criteria.

dcrooks_cbp · ‎11-01-2018

11-01-2018 13:49:01.942 +0000 ERROR UserManagerPro - user="system" had no roles

System and Nobody had no roles

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation