Monitoring Splunk

Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel
Communicator

Hello,

I am receiving warnings on my splunk cloud monitoring console:

alt text

I am not sure what caused this errors to occur. Can anyone tell me what the errors mean and what I can do to resolve them?

Thanks in advance, kind regards,

Willem

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @willemjongeneel,

You seems to have two problems there :

1- The warning message of the subsearch, it seems that the account your using does not have the required capability to run this search. You need to add the dispatch_rest_to_indexers capability.

2- The error message is trying to reach your distributed search peer configuration but apparently you have nothing configured there locally so the endpoint fails. Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there.

Let me know if that helps.

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @willemjongeneel,

You seems to have two problems there :

1- The warning message of the subsearch, it seems that the account your using does not have the required capability to run this search. You need to add the dispatch_rest_to_indexers capability.

2- The error message is trying to reach your distributed search peer configuration but apparently you have nothing configured there locally so the endpoint fails. Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there.

Let me know if that helps.

Cheers,
David

willemjongeneel
Communicator

Hi @DavidHourani

Thank you for your quick response.

1: I dont see the dispatch_rest_to_indexers capability in Splunk Cloud GUI. Could it be one of the following capabilities?

rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set

2: Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there. --> Do you know if this is possible in managed Splunk Cloud GUI? Where should I add this?

Kind regards,
Willem

0 Karma

DavidHourani
Super Champion

Hi @willemjongeneel,

1: Check here : https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/authorizeconf the capability is this one : [capability::dispatch_rest_to_indexers]

2- it should be possible : from settings -> distributed search -> search peers.
If you don't have the " distributed search " option then no it's not possible to do it via GUI.

0 Karma

willemjongeneel
Communicator

Hi @DavidHourani

I cannot see this capability in Splunk Cloud.
Also I dont have the distributed search option in the Splunk Cloud gui.

I'll make a ticket at Splunk support for this.

Thanks for your help.

Kind regards,
Willem Jongeneel

0 Karma

DavidHourani
Super Champion

Most welcome! Let me know how that turns up. And please accept the answer if it helped

0 Karma

willemjongeneel
Communicator

I've received the following response from support:

yes - there is currently a defect open in the CMC
The "dispatch_rest_to_indexers" capability has been removed from everyone. It was a code change.

It will be fixed CMC v.1.2 - but no eta as of yet .

Kind regards,
Willem

dougtc
Engager

Thanks for that. It's April 2021 and no fix for this, yet.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...