All Apps and Add-ons

Lookup File Editor App for Splunk Enterprise: Why do other users get error "Client is not authorized" trying to open my CSV Lookup?



We are using the Lookup File Editor App for Splunk Enterprise and when someone tries to open my csv via the app, they receive an error about not being able to load the details of the lookup file. I've set the permissions of the file to global and ensure the user had read/write access. When I set the file to be owned by nobody, they are able to open and edit. I did find the following in the log file.

2016-04-07 00:33:22,471 DEBUG   [57060d42717f15c73b7bd0] _cplogging:55 - [07/Apr/2016:00:33:22] HTTP Traceback (most recent call last):
  File "/opt/splunk/lib/python2.7/site-packages/cherrypy/", line 606, in respond
    cherrypy.response.body = self.handler()
  File "/opt/splunk/lib/python2.7/site-packages/cherrypy/", line 25, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 38, in rundecs
    return fn(*a, **kw)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 118, in check
    return fn(self, *a, **kw)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 167, in validate_ip
    return fn(self, *a, **kw)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 335, in preform_sso_check
    return fn(self, *a, **kw)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 387, in check_login
    return fn(self, *a, **kw)
  File "", line 1, in 
  File "/opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/lib/", line 407, in handle_exceptions
    return fn(self, *a, **kw)
  File "", line 148, in get_lookup_info
  File "", line 460, in resolve_lookup_filename
  File "/opt/splunk/lib/python2.7/site-packages/splunk/models/", line 548, in get
    return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/models/", line 528, in get
    entity = self._get_entity(id, host_path=host_path)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/models/", line 444, in _get_entity
    return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
  File "/opt/splunk/lib/python2.7/site-packages/splunk/", line 249, in getEntity
    serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
  File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/", line 514, in simpleRequest
    raise splunk.AuthorizationFailed(extendedMessages=uri)
AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action;

Any suggestions?

Thank you,

Splunk Employee
Splunk Employee

This sounds like an issue with the role the users are assigned to. Is this a new role that was created (not a role provided "out of the box" or was this an existing role (user, power, admin) that was modified?

Go to Settings -> Access Controls -> Roles... Click on the role these users are assigned to. From here, go to the section titled "Inheritance".
- If this was a default role, the selected roles for Inheritance should be left alone. If any changes were made here previously, the defaults should be reset and saved.
- If this was a newly created role, you should likely assign inheritance from an existing role - such as the "user" or "power" role, based on their expected capabilities.

After this, look at the Capabilities section and review the Selected Capabilities - based on what I'm seeing in your log, this role should have "rest_apps_view", "rest_properties_get", and "rest_properties_set" capabilities selected. If not, find them under the Available Capabilities and click them to assign them to Selected.

Save whatever changes you make, possibly restart Splunk and see what happens after that.

Also, here is a previous answer that references the same error you're seeing, if you'd like to review this answer further:

Hope this helps...

0 Karma


It appears that I'm having this issue as well. Anyone in the admin group seems to work fine but users with new roles can't seem to view or edit files despite granting them explicit read/write access to them. Any thoughts?

0 Karma


I had to set the owner of the lookup to nobody. Role access were applied as normal after that.


How'd you go about doing that?


By going to etc/apps/the app that contains the lookup/metadata/local.meta

search for the csv file entry. should look something like this.

version = ###
owner = nobody
modtime = 1464798467.783966000
access = read : [ * ], write : [ admin ]
export = system

and set the owner to nobody. You can restart the splunk process or issue the refresh command by going to yoursplunk/en-US/debug/refresh

hope this helps


Thanks Mate.

Huge help!

0 Karma


Hi, thank you for your response. I ensured that the role the user belongs to had all of the rest capabilities, but still continued to have the same issue. The exact error they are getting when opening the lookup file is "Information about the lookup file could not be obtained from the server." The work around is to set the file to nobody, so it would seem to be something tied with opening my files. That doesn't make sense since I made it global all permissions.

0 Karma

Splunk Employee
Splunk Employee

Thanks for checking that out...

I'd say it's a permissions issue somewhere... When the lookup table(s) were initially uploaded, were they given global permissions and the ability for users in this role to read and/or write to those lookup table(s)?

What about the Permissions of Lookup File Editor App? Go to Manage Apps and check permissions set for the app itself.

Finally, this could be a permissions issue within the file system where Splunk is installed... You may want to check out your file system and ensure the system level user that starts Splunk has write access to the directory/file(s) in which you're trying to access the lookup table(s).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!