Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:
REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
The relevant part of the search is
| rest splunk_server=local /services/authentication/current-context | fields username
According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?
Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.
You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.
Or you can add it to the default stanza in authorize.conf so that everyone has that capability.
[default]
dispatch_rest_to_indexers = enabled
Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.
You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.
Or you can add it to the default stanza in authorize.conf so that everyone has that capability.
[default]
dispatch_rest_to_indexers = enabled