Getting Data In

Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability."

Communicator

Since we upgraded from Splunk 6.5.3 to 7.0.3 we are getting the following warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

The relevant part of the search is

| rest splunk_server=local /services/authentication/current-context | fields username

According to the Search Reference , splunk_server=local should restrict the search to the search head - so this behavior is intentional. Why am I getting this warning? Can I somehow suppress it?

0 Karma

Splunk Employee
Splunk Employee

Generally, you will get the error If the account you are using to log in to the instance doesn't have the dispatch_rest_to_indexers capability.

You need to add the Dispatch_rest_to_indexers capability to the respective role or the user to make it work.

Or you can add it to the default stanza in authorize.conf so that everyone has that capability.

[default]
dispatch_rest_to_indexers = enabled

Observer

In Splunk Cloud we get this and the capability does not appear to be able to be added to any role.  I get this while logged in as sc-admin and specifying splunk_server=local.  It's aggravating my C level to see the stupid error.

0 Karma

Communicator

It’s a shift in the default authorize.conf file. Originally the capability dispatch_rest_to_indexers was in the [default] stanza, and now it’s move to [admin]. You will need to add it to the roles you want to have that capability.

Builder

@vliggio stopping by to say thanks for this information. I added the following to my /etc/system/local/authorize.conf file to resolve:

[default]
dispatch_rest_to_indexers = enabled

edit: we upgraded from 6.6.4 to 7.1.4

Communicator

Thanks for the hint - still I'm wondering why the capability is required whent I limit the call to the search head (via splunk_server=local).

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!