Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexer Cluster user="" had no roles

NoSpaces
Communicator
‎10-04-2024 07:54 AM

Hello to everyone!
Today I noticed strange messages in the daily warn and errors report:

 

10-04-2024 16:55:01.935 +0300 WARN  UserManagerPro [5280 indexerPipe_0] - Unable to get roles for user= because: Could not get info for non-existent user=""
10-04-2024 16:55:01.935 +0300 ERROR UserManagerPro [5280 indexerPipe_0] - user="" had no roles

 

I checked that this couple first appeared 5 days ago, but this fact can't help me because I don't remember what I changed in the exact day.
I also tried to find some helpful "nearby" events that can help me to understand the root case, but didn't observe anything interesting.
Which ways do I have to investigate this case?
Maybe I can "rise" log policy to DEBUG lvl? If I can, what should I change and where?

Little more information:
I have searchhead cluster with LDAP authorization
And also indexer cluster only with local users

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago
Have you check this https://community.splunk.com/t5/Security/ERROR-UserManagerPro-user-quot-system-quot-had-no-roles/m-p... ?
0 Karma
Reply

NoSpaces
Communicator
2 weeks ago

@isoutamo, Thank you for your attention to my problem.
I saw this post, and I also saw the resolution—create the user 'system'.
But my case is a little bit different because errors have no information about the user that is absent.
Only quotes without anything.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago
Only thing what comes my mind is that you should try to find some matches from other logs including sh side, which process or query has initiated this query on indexer side and found more information over there.
Another option is create a support case to splunk.
0 Karma
Reply

NoSpaces
Communicator
2 weeks ago

UP

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Please stop UP-ing the thread. You haven't found a similar issue in old threads, noone seems to be able to help you here right now. It's time to engage support. Posting "UP" once a week only clutters the forum.

Thanks for understanding.

0 Karma
Reply

NoSpaces
Communicator
2 weeks ago

Sorry for had being annoying, I'm stopping this behavior.

0 Karma
Reply

NoSpaces
Communicator
‎11-28-2024 02:12 AM

Up

A week ago, I tried to enable DEBUG log to find the root case
But found only the similar events without anything helpful to find the root case

0 Karma
Reply

NoSpaces
Communicator
‎10-08-2024 02:37 AM

Up

0 Karma
Reply

NoSpaces
Communicator
‎10-17-2024 12:47 AM

Up

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...