All Apps and Add-ons

How come the Domain Tools TA for Splunk is not allowing configuration changes?


We have downloaded and installed the Splunk DomainTools TA in our clustered environment. However, we are getting the following error:

 [HTTP 403] Client is not authorized to perform requested action

We have the list_storage_passwords capability assigned (from here) to the groups that need to modify and manage the configurations, but we still keep getting the error.

What capabilities do we need to have assigned to those who need access to change configurations in the app? Admin can make changes, but not Power.

0 Karma

Path Finder

Hi! Thanks for trying out the app. Let's see what we can do to get you started here.

You're right about list_storage_passwords - you'll need that on any users that want to use the commands interactively, including the interactive domain profile page. That's because, per Splunk guidelines, we store your DomainTools API keys with the storage passwords mechanism.

For this issue, it's difficult to know for sure, but are you making these changes on the deployer, interactively, before distributing the app to the other members in the SH cluster? If not, that could be the issue - in most cases, clustered search heads don't let you change app settings interactively because it could cause cluster members to become out of sync.

Also, most of the time, settings do not need to be changed after the initial configuration, so there should be little downside to having an admin complete the one-time configuration. Most of our customers configure their apps as admins and then leave them to run as-is.

Can you give us some guidance on the architecture you have here? That might help us resolve it. Version of Splunk, version of our TA, and the basic cluster setup would help.


0 Karma

Loves-to-Learn Lots

DomainTool app for splunk  (version 3.5.0) is not loading since Feb 2nd week, also unable to validate API credentials. When i try to check API details from UI, all i see is a blank page without any details. Let me know anyone has an idea.

0 Karma
Get Updates on the Splunk Community!

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...

tag as datamodel attribute

I'm confused a bit. I use CIM datamodels.The "tag" field is both a filter for choosing events applicable to a ...

Can you customize Additional Fields in Notable Events?

Is there a way to customize which additional fields to show for which Notable event /Co-relation search ...