Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability."

krdo
Communicator
‎04-25-2018 10:42 PM

Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

The relevant part of the search is

| rest splunk_server=local /services/authentication/current-context | fields username

According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?

0 Karma
Reply

swmishra_splunk
Splunk Employee
Splunk Employee
‎06-26-2019 10:45 PM

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

Reply

ntennant
Loves-to-Learn
‎06-23-2020 06:06 AM

In Splunk Cloud we get this and the capability does not appear to be able to be added to any role.  I get this while logged in as sc-admin and specifying splunk_server=local.  It's aggravating my C level to see the stupid error.

0 Karma
Reply

vliggio
Communicator
‎04-26-2018 02:41 PM

It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.

Reply

andrewtrobec
Motivator
‎06-13-2019 12:08 AM

@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:

[default]
dispatch_rest_to_indexers = enabled

edit: we upgraded from 6.6.4 to 7.1.4

Reply

krdo
Communicator
‎04-26-2018 11:28 PM

Thanks for the hint - still I'm wondering why the capability is required whent I limit the call to the search head (via splunk_server=local).

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...