Getting Data In

Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability."

krdo
Communicator

Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

The relevant part of the search is

| rest splunk_server=local /services/authentication/current-context | fields username

According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?

0 Karma

swmishra_splunk
Splunk Employee
Splunk Employee

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

ntennant
Loves-to-Learn

In Splunk Cloud we get this and the capability does not appear to be able to be added to any role.  I get this while logged in as sc-admin and specifying splunk_server=local.  It's aggravating my C level to see the stupid error.

0 Karma

vliggio
Communicator

It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.

andrewtrobec
Builder

@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:

[default]
dispatch_rest_to_indexers = enabled

edit: we upgraded from 6.6.4 to 7.1.4

krdo
Communicator

Thanks for the hint - still I'm wondering why the capability is required whent I limit the call to the search head (via splunk_server=local).

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...