Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexer Cluster user="" had no roles

NoSpaces
Communicator
‎10-04-2024 07:54 AM

Hello to everyone!
Today I noticed strange messages in the daily warn and errors report:

 

10-04-2024 16:55:01.935 +0300 WARN  UserManagerPro [5280 indexerPipe_0] - Unable to get roles for user= because: Could not get info for non-existent user=""
10-04-2024 16:55:01.935 +0300 ERROR UserManagerPro [5280 indexerPipe_0] - user="" had no roles

 

I checked that this couple first appeared 5 days ago, but this fact can't help me because I don't remember what I changed in the exact day.
I also tried to find some helpful "nearby" events that can help me to understand the root case, but didn't observe anything interesting.
Which ways do I have to investigate this case?
Maybe I can "rise" log policy to DEBUG lvl? If I can, what should I change and where?

Little more information:
I have searchhead cluster with LDAP authorization
And also indexer cluster only with local users

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-18-2024 10:22 AM
Have you check this https://community.splunk.com/t5/Security/ERROR-UserManagerPro-user-quot-system-quot-had-no-roles/m-p... ?
0 Karma
Reply

NoSpaces
Communicator
‎12-19-2024 07:12 AM

@isoutamo, Thank you for your attention to my problem.
I saw this post, and I also saw the resolution—create the user 'system'.
But my case is a little bit different because errors have no information about the user that is absent.
Only quotes without anything.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-19-2024 10:12 AM
Only thing what comes my mind is that you should try to find some matches from other logs including sh side, which process or query has initiated this query on indexer side and found more information over there.
Another option is create a support case to splunk.
0 Karma
Reply

NoSpaces
Communicator
‎12-18-2024 12:26 AM

UP

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-18-2024 12:47 AM

Please stop UP-ing the thread. You haven't found a similar issue in old threads, noone seems to be able to help you here right now. It's time to engage support. Posting "UP" once a week only clutters the forum.

Thanks for understanding.

0 Karma
Reply

NoSpaces
Communicator
‎12-18-2024 01:00 AM

Sorry for had being annoying, I'm stopping this behavior.

0 Karma
Reply

NoSpaces
Communicator
‎11-28-2024 02:12 AM

Up

A week ago, I tried to enable DEBUG log to find the root case
But found only the similar events without anything helpful to find the root case

0 Karma
Reply

NoSpaces
Communicator
‎10-08-2024 02:37 AM

Up

0 Karma
Reply

NoSpaces
Communicator
‎10-17-2024 12:47 AM

Up

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...