ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Splunk importer job fails with error SplunkApi.Logoff() Error while executing Logoff

book

Article ID: 200397

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

After upgrading ICA to version 6.5.4, Splunk data source IW jobs fail and return any of the following errors captured in the SplunkImporterSplunkResultsDriven.log files:

[1:ERROR] SplunkApi.Logoff() Error while executing Logoff

[1:ERROR] Program.Main() Splunk.Client.UnauthorizedAccessException: 403: Forbidden

Error: You (user=username) do not have permission to perform this operation (requires capability: edit_httpauths).

Cause

This error is returned when the Splunk API user lacks the privilege edit_httpauths on the Splunk server.

In ICA 6.5.3.0 and earlier versions, the logoff command was controlled by this setting in the file SplunkImporter.exe.config:

<add key="Splunk.Authentication.DoLogoff" value="False" />

With 6.5.4, this setting is now controlled in the data source query editor page. This setting is enabled by default, which may differ from the value set in the configuration file used with older versions of the importer.

Environment

Release : 6.5.4

Component :

Resolution

This error can be addressed by either adding the privilege edit_httpauths to the API user account in Splunk, or by disabling the logoff command passed by the Splunk query in ICA.