Monitoring Splunk

Warnings on Splunk TCP Port Closures (Splunk Cloud)

willemjongeneel
Communicator

Hello,

I am receiving warnings on my splunk cloud monitoring console:

alt text

I am not sure what caused this errors to occur. Can anyone tell me what the errors mean and what I can do to resolve them?

Thanks in advance, kind regards,

Willem

Tags (1)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @willemjongeneel,

You seems to have two problems there :

1- The warning message of the subsearch, it seems that the account your using does not have the required capability to run this search. You need to add the dispatch_rest_to_indexers capability.

2- The error message is trying to reach your distributed search peer configuration but apparently you have nothing configured there locally so the endpoint fails. Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there.

Let me know if that helps.

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @willemjongeneel,

You seems to have two problems there :

1- The warning message of the subsearch, it seems that the account your using does not have the required capability to run this search. You need to add the dispatch_rest_to_indexers capability.

2- The error message is trying to reach your distributed search peer configuration but apparently you have nothing configured there locally so the endpoint fails. Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there.

Let me know if that helps.

Cheers,
David

willemjongeneel
Communicator

Hi @DavidHourani

Thank you for your quick response.

1: I dont see the dispatch_rest_to_indexers capability in Splunk Cloud GUI. Could it be one of the following capabilities?

rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set

2: Make sure to add your search heads as search peers on the monitoring console to be able to fetch data from there. --> Do you know if this is possible in managed Splunk Cloud GUI? Where should I add this?

Kind regards,
Willem

0 Karma

DavidHourani
Super Champion

Hi @willemjongeneel,

1: Check here : https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/authorizeconf the capability is this one : [capability::dispatch_rest_to_indexers]

2- it should be possible : from settings -> distributed search -> search peers.
If you don't have the " distributed search " option then no it's not possible to do it via GUI.

0 Karma

willemjongeneel
Communicator

Hi @DavidHourani

I cannot see this capability in Splunk Cloud.
Also I dont have the distributed search option in the Splunk Cloud gui.

I'll make a ticket at Splunk support for this.

Thanks for your help.

Kind regards,
Willem Jongeneel

0 Karma

DavidHourani
Super Champion

Most welcome! Let me know how that turns up. And please accept the answer if it helped

0 Karma

willemjongeneel
Communicator

I've received the following response from support:

yes - there is currently a defect open in the CMC
The "dispatch_rest_to_indexers" capability has been removed from everyone. It was a code change.

It will be fixed CMC v.1.2 - but no eta as of yet .

Kind regards,
Willem

dougtc
Engager

Thanks for that. It's April 2021 and no fix for this, yet.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...