Hey,
All my users except admin are getting this error: Streamed search execute failed because: User '' could not act as: XXX
With XXX being the user in question. I've checked all the permissions and even tried changing some, but all the users in questions have full rights to run searches. I can't see anything in the error history that indicates why my users can't execute searches. Really keen to get this sorted, as the product is essentially unusable right now.
Thanks!
Look like the bug SPL-66763
Distributed searches can intermittently fail on certain search peers with an error banner indicating Streamed search execute failed because: User could not act as:
. The affected peer will not return results for this search. (SPL-66763)
fixed in splunk 5.0.6 and 6.0.1
see http://docs.splunk.com/Documentation/Splunk/5.0.6/ReleaseNotes/5.0.6#Resolved_distributed_deployment...
I have received this error in 6.1.3 multiple times. This was not corrected all the way. We use a clustered environment with pooled search heads.
You might want to check which search peer is causing the issue. See the nearby events logs from _internal to pinpoint what exactly is causing issue.
how exactly did you create the new users? did you assign default roles? did you modify roles or create new ones?
I'm getting the same thing intermittently. Yes, I have 2 search heads searching 4 search peers. The search heads are pooled per instructions on splunk.com.
Are you using distributed environment (multiple indexers, search peers)?