After upgrading ICA to version 6.5.4, Splunk data source IW jobs fail and return any of the following errors captured in the SplunkImporterSplunkResultsDriven.log files:
[1:ERROR] SplunkApi.Logoff() Error while executing Logoff
[1:ERROR] Program.Main() Splunk.Client.UnauthorizedAccessException: 403: Forbidden
Error: You (user=username) do not have permission to perform this operation (requires capability: edit_httpauths).
Release : 6.5.4
This error is returned when the Splunk API user lacks the privilege edit_httpauths on the Splunk server.
In ICA 126.96.36.199 and earlier versions, the logoff command was controlled by this setting in the file SplunkImporter.exe.config:
<add key="Splunk.Authentication.DoLogoff" value="False" />
With 6.5.4, this setting is now controlled in the data source query editor page. This setting is enabled by default, which may differ from the value set in the configuration file used with older versions of the importer.
This error can be addressed by either adding the privilege edit_httpauths to the API user account in Splunk, or by disabling the logoff command passed by the Splunk query in ICA.