Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:
REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.
The relevant part of the search is
| rest splunk_server=local /services/authentication/current-context | fields username
According to the Search Reference ,
splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?
Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.
You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.
Or you can add it to the default stanza in authorize.conf so that everyone has that capability.
dispatch_rest_to_indexers = enabled
In Splunk Cloud we get this and the capability does not appear to be able to be added to any role. I get this while logged in as sc-admin and specifying splunk_server=local. It's aggravating my C level to see the stupid error.
It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.
@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:
[default] dispatch_rest_to_indexers = enabled
edit: we upgraded from 6.6.4 to 7.1.4