Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexer Cluster user="" had no roles

NoSpaces
Contributor
‎10-04-2024 07:54 AM

Hello to everyone!
Today I noticed strange messages in the daily warn and errors report:

 

10-04-2024 16:55:01.935 +0300 WARN  UserManagerPro [5280 indexerPipe_0] - Unable to get roles for user= because: Could not get info for non-existent user=""
10-04-2024 16:55:01.935 +0300 ERROR UserManagerPro [5280 indexerPipe_0] - user="" had no roles

 

I checked that this couple first appeared 5 days ago, but this fact can't help me because I don't remember what I changed in the exact day.
I also tried to find some helpful "nearby" events that can help me to understand the root case, but didn't observe anything interesting.
Which ways do I have to investigate this case?
Maybe I can "rise" log policy to DEBUG lvl? If I can, what should I change and where?

Little more information:
I have searchhead cluster with LDAP authorization
And also indexer cluster only with local users

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-18-2024 10:22 AM
Have you check this https://community.splunk.com/t5/Security/ERROR-UserManagerPro-user-quot-system-quot-had-no-roles/m-p... ?
0 Karma
Reply

NoSpaces
Contributor
‎12-19-2024 07:12 AM

@isoutamo, Thank you for your attention to my problem.
I saw this post, and I also saw the resolution—create the user 'system'.
But my case is a little bit different because errors have no information about the user that is absent.
Only quotes without anything.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-19-2024 10:12 AM
Only thing what comes my mind is that you should try to find some matches from other logs including sh side, which process or query has initiated this query on indexer side and found more information over there.
Another option is create a support case to splunk.
0 Karma
Reply

NoSpaces
Contributor
‎12-18-2024 12:26 AM

UP

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2024 12:47 AM

Please stop UP-ing the thread. You haven't found a similar issue in old threads, noone seems to be able to help you here right now. It's time to engage support. Posting "UP" once a week only clutters the forum.

Thanks for understanding.

0 Karma
Reply

NoSpaces
Contributor
‎12-18-2024 01:00 AM

Sorry for had being annoying, I'm stopping this behavior.

0 Karma
Reply

NoSpaces
Contributor
‎11-28-2024 02:12 AM

Up

A week ago, I tried to enable DEBUG log to find the root case
But found only the similar events without anything helpful to find the root case

0 Karma
Reply

NoSpaces
Contributor
‎10-08-2024 02:37 AM

Up

0 Karma
Reply

NoSpaces
Contributor
‎10-17-2024 12:47 AM

Up

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...