Getting Data In

Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability."

Communicator

Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

The relevant part of the search is

| rest splunk_server=local /services/authentication/current-context | fields username

According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?

0 Karma

Splunk Employee
Splunk Employee

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

Observer

In Splunk Cloud we get this and the capability does not appear to be able to be added to any role.  I get this while logged in as sc-admin and specifying splunk_server=local.  It's aggravating my C level to see the stupid error.

0 Karma

Communicator

It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.

Builder

@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:

[default]
dispatch_rest_to_indexers = enabled

edit: we upgraded from 6.6.4 to 7.1.4

Communicator

Thanks for the hint - still I'm wondering why the capability is required whent I limit the call to the search head (via splunk_server=local).