Splunk Search

System and Nobody had no roles

dcrooks_cbp
New Member

I am trying to get the System access attempts with invalid credentials. Folks with unknown user names. I am using the following search part: index=_internal sourcetype=splunkd user=* component=UserManagerPro

There are a ton of messages with the following:
message="user=\"system\" had no roles" and message="user=\"nobody\" had no roles"

I believe they can just be filtered out and I am using version 7.0.4

DLC

Tags (1)
0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee
0 Karma

VatsalJagani
Champion

Hi @dcrooks_cbp,
Please try changing your part of query with this:

index=_internal sourcetype=splunkd UserManagerPro NOT TERM("had no roles")

Hope this helps!!

0 Karma

VatsalJagani
Champion

Hi @dcrooks_cbp,
Can you please provide a sample raw event? As on my dev instance I do not have any event with this criteria.

0 Karma

dcrooks_cbp
New Member

11-01-2018 13:49:01.942 +0000 ERROR UserManagerPro - user="system" had no roles

0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...