Deployment Architecture

Splunk Smartstore: Remote Storage Http Error Status Codes

saiganesh49
Explorer

I have configured Smart Store on our Splunk cluster recently, after the changes,
I was seeing 403 and 404 errors in Remote Storage Http Error Status Codes.

Is anyone had the similar issue ?

1 Solution

saiganesh49
Explorer
{
    "Version": "***",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:DeleteObjectVersion",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "s3:RestoreObject",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutLifecycleConfiguration",
                "s3:GetBucketCORS",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::your-smartstore-bucket-name/*",
                "arn:aws:s3:::your-smartstore-bucket-name"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

this bucket policy has zeroed my 403 errors , as far as 404 errors Splunk confirmed that this will be fixed in the future releases.

View solution in original post

0 Karma

saiganesh49
Explorer
{
    "Version": "***",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:DeleteObjectVersion",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "s3:RestoreObject",
                "s3:ListBucket",
                "s3:GetBucketVersioning",
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutLifecycleConfiguration",
                "s3:GetBucketCORS",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::your-smartstore-bucket-name/*",
                "arn:aws:s3:::your-smartstore-bucket-name"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadBucket"
            ],
            "Resource": "*"
        }
    ]
}

this bucket policy has zeroed my 403 errors , as far as 404 errors Splunk confirmed that this will be fixed in the future releases.

0 Karma

cudgel
Path Finder

We are seeing the same thing in our environment. 403's doing REST.GET.BUCKETVERSIONS and 404's on REST.HEAD.OBJECT for keys ending in "receipts.json" or "done". Searches don't seem to be having problems, but we have a very high error count.

0 Karma

saiganesh49
Explorer

which version of Splunk are you on ?

0 Karma

cudgel
Path Finder

version 7.2.5.1

0 Karma

rwsisson
Explorer

version 7.3.0

0 Karma

srajarat2
Path Finder

Based on our troubleshooting, Splunk is issuing a get_object of receipt.json (with the whole bucket details in the object name) before even performing a put_object and this should result in 404. As per Splunk support this can be ignored unless you see 404 for the same object multiple times.

0 Karma

jbuckner85
Path Finder

Did you ever find a resolution to this issue? We are encountering the same thing.

0 Karma

rwsisson
Explorer

No, we did not

0 Karma

saiganesh49
Explorer

posted in answer

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...