Splunk Search

"Write access to the proxy endpoint is disabled. " for any searches after upgrading from 5.0.4 to 6.0

DaClyde
Contributor

I get the following error for all of my searches after upgrading from 5.0.4 to 6.0:

Write access to the proxy endpoint is disabled.

Anyone have any idea what this means? I'm just running on a standalone Win7 machine, no forwarders or anything exotic involved.

Tags (3)
0 Karma
1 Solution

arobbins_splunk
Splunk Employee
Splunk Employee

That error comes up if write access to the proxy endpoint is explicitly denied. In web.conf there is a setting enable_proxy_write that needs to be set to True.

The default setting that ships with Splunk is True. Check etc/system/local/web.conf and see if it is being set to False.

The reason that you are seeing this in Splunk 6 and not in Splunk 5 is that we've moved almost all of the logic and rendering for the search app into the browser. It communicates with splunkd through the proxy endpoint in splunkweb.

View solution in original post

arobbins_splunk
Splunk Employee
Splunk Employee

That error comes up if write access to the proxy endpoint is explicitly denied. In web.conf there is a setting enable_proxy_write that needs to be set to True.

The default setting that ships with Splunk is True. Check etc/system/local/web.conf and see if it is being set to False.

The reason that you are seeing this in Splunk 6 and not in Splunk 5 is that we've moved almost all of the logic and rendering for the search app into the browser. It communicates with splunkd through the proxy endpoint in splunkweb.

View solution in original post

DaClyde
Contributor

Thank you, I'll get my files cleaned up and keep an eye on that in the future. Now I understand the "DO NOT EDIT THIS FILE!" warning. I didn't think it made sense given the context.

0 Karma

hexx
Splunk Employee
Splunk Employee

The headers of configuration files are not read by Splunk.

The presence of this header in $SPLUNK_HOME/etc/system/local/web.conf is abnormal and seems to indicate that someone has copied $SPLUNK_HOME/etc/system/default/web.confto that location. This is not a good idea, as it prevents changes brought by Splunk upgrades in the default web.conf to take effect.

I would recommend to review the contents of the local version of web.conf and to retain only the things you've changed locally. You should not have a full copy of the default web.conf in the local directory.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

Let me check with our qa/support team to see if this is expected behavior in an upgrade scenario. A fresh install would have Version 6.0 at the top of the file.

0 Karma

DaClyde
Contributor

From the top of the file:

Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.3.1
DO NOT EDIT THIS FILE!
Please make all changes to files in $SPLUNK_HOME/etc/system/local.
To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
into ../local and edit there.

This file contains possible attributes and values you can use to configure Splunk's web interface.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

You may be getting out of my comfort-zone, but I don't think we query the conf files for the version info (at least not now). Can you copy/paste the part of your web.conf that lists that version? (or, is this a filesystem meta-data version, in which case it may not have been updated since the original install)

0 Karma

DaClyde
Contributor

That took care if it, thank you. Mine was set to False. I can now access my data.

Should the conf files all have the version of the current Splunk install? My web.conf listed 4.3.1 (I've gone through several upgrades on this machine).

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!