Solved: Re: Why am I gettin the warning "Restricting resul...

swmishra_splunk · ‎07-31-2019

Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
The relevant part of the search is

| rest splunk_server=local /services/authentication/current-context | fields username
According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?

swmishra_splunk · ‎07-31-2019

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

View solution in original post

swmishra_splunk · ‎07-31-2019

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability."

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!