topic Re: Warnings on Splunk TCP Port Closures (Splunk Cloud) in Monitoring Splunk

Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel — Tue, 07 May 2019 07:49:05 GMT

Hello,

I am receiving warnings on my splunk cloud monitoring console:

I am not sure what caused this errors to occur. Can anyone tell me what the errors mean and what I can do to resolve them?

Thanks in advance, kind regards,

Willem

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

DavidHourani — Wed, 30 Sep 2020 00:22:34 GMT

Hi @willemjongeneel,

You seems to have two problems there :

1- The warning message of the subsearch, it seems that the account your using does not have the required capability to run this search. You need to add the dispatch_rest_to_indexers capability.

2- The error message is trying to reach your distributed search peer configuration but apparently you have nothing configured there locally so the endpoint fails. Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there.

Let me know if that helps.

Cheers,
David

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel — Wed, 30 Sep 2020 00:26:39 GMT

Hi @DavidHourani

Thank you for your quick response.

1: I dont see the dispatch_rest_to_indexers capability in Splunk Cloud GUI. Could it be one of the following capabilities?

rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set

2: Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there. --> Do you know if this is possible in managed Splunk Cloud GUI? Where should I add this?

Kind regards,
Willem

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

DavidHourani — Tue, 07 May 2019 11:08:33 GMT

Hi @willemjongeneel,

1: Check here : https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/authorizeconf the capability is this one : [capability::dispatch_rest_to_indexers]

2- it should be possible : from settings -> distributed search -> search peers.
If you don't have the " distributed search " option then no it's not possible to do it via GUI.

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel — Tue, 07 May 2019 13:06:41 GMT

Hi @DavidHourani

I cannot see this capability in Splunk Cloud.
Also I dont have the distributed search option in the Splunk Cloud gui.

I'll make a ticket at Splunk support for this.

Thanks for your help.

Kind regards,
Willem Jongeneel

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

DavidHourani — Tue, 07 May 2019 13:25:53 GMT

Most welcome! Let me know how that turns up. And please accept the answer if it helped

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel — Wed, 30 Sep 2020 00:23:03 GMT

I've received the following response from support:

yes - there is currently a defect open in the CMC
The "dispatch_rest_to_indexers" capability has been removed from everyone. It was a code change.

It will be fixed CMC v.1.2 - but no eta as of yet .

Kind regards,
Willem

Re: Warnings on Splunk TCP Port Closures (Splunk Cloud)

dougtc — Thu, 22 Apr 2021 13:53:36 GMT

Thanks for that. It's April 2021 and no fix for this, yet.