Splunk data source query jobs fail and log any of the following errors in the SplunkImporterSplunkResultsDriven_<job-ID>.<yyyyMMdd>.log file:

[1:ERROR] SplunkApi.Logoff() Error while executing Logoff

[1:ERROR] Program.Main() Splunk.Client.UnauthorizedAccessException: 403: Forbidden

Error: You (user=<username>) do not have permission to perform this operation (requires capability: edit_httpauths).

The Splunk importer log is located on the server hosting the Splunk import utility (typically the SQL Server host) and stored in the following path:

%SystemDrive%\ProgramData\BayDynamics\Logs

Release : 6.x

Component : Splunk Import Utility

This error is returned when the setting Logoff After Job Completion is enabled in the data source query configuration and the Splunk API account lacks the privilege edit_httpauths on the Splunk server.

To resolve this error, either disable the setting Logoff After Job Completion in the data source query configuration or grant the privilege edit_httpauths to the API account in Splunk.

In ICA 6.5.3.0 and earlier versions, the logoff command was controlled by this setting in the file SplunkImporter.exe.config:

<add key="Splunk.Authentication.DoLogoff" value="False" />

The configuration file is stored in the same folder as the SplunkImporter.exe executable as part of ICA's Database Utilities. These are installed by default on the SQL Server host in the following path:

%SystemDrive%\Program Files\Bay Dynamics\Database Utilities

The Splunk importer is located in the subfolder \Splunk

Beginning with 6.5.4, the Splunk.Authentication.DoLogoff key is set in the data source query editor page in the Risk Fabric console. This setting is enabled by default, which may differ from the value set in the configuration file used with older versions of the importer.