Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:
REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
The relevant part of the search is
| rest splunk_server=local /services/authentication/current-context | fields username
According to the Search Reference , splunk_server=local
should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?
Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.
You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.
Or you can add it to the default stanza in authorize.conf so that everyone has that capability.
[default]
dispatch_rest_to_indexers = enabled
In Splunk Cloud we get this and the capability does not appear to be able to be added to any role. I get this while logged in as sc-admin and specifying splunk_server=local. It's aggravating my C level to see the stupid error.
It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.
@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:
[default]
dispatch_rest_to_indexers = enabled
edit: we upgraded from 6.6.4 to 7.1.4
Thanks for the hint - still I'm wondering why the capability is required whent I limit the call to the search head (via splunk_server=local
).