Hi.
I am trying to run this in splunk cloud:
|rest /services/search/jobs|search isRealTimeSearch=1
But getting this:
Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability
I have looked at users and roles and that capability is not in the list to choose. It is in theSplunk Cloud documentation but simply isnt there to select.
Any ideas why?
Thanks, Keith
You can include in your searches splunk_server=local this will let you retrieve the information from the indexes without the need for the dispatch_rest_to_indexers since this capability is not added to the Cloud users due to security purposes.
Thanks - I have logged a case with Splunk.
Hi Somesoni2 - thanks for the reply.
I had seen the post you referred to and re-read it again but it doesnt helpe becuase:
1) the capability is not in the list to select when editing a role - see screenshot below
2) I cant edit the authorize.conf because I am running Splunk Cloud which means I cant access the folders on the server.
Any other suggestions????
Thanks, Keith
I believe its a known bug. I would contact Splunk support to confirm the same. See the bottom thread of this post: https://community.splunk.com/t5/Monitoring-Splunk/Warnings-on-Splunk-TCP-Port-Closures-Splunk-Cloud/...