search cancel

Splunk importer job fails with error SplunkApi.Logoff() Error while executing Logoff


Article ID: 200397


Updated On:


Information Centric Analytics Data Loss Prevention Core Package


After upgrading ICA to version 6.5.4, Splunk data source IW jobs fail and return any of the following errors captured in the SplunkImporterSplunkResultsDriven.log files:

[1:ERROR] SplunkApi.Logoff() Error while executing Logoff

[1:ERROR] Program.Main() Splunk.Client.UnauthorizedAccessException: 403: Forbidden

Error: You (user=username) do not have permission to perform this operation (requires capability: edit_httpauths).


This error is returned when the Splunk API user lacks the privilege edit_httpauths on the Splunk server.

In ICA and earlier versions, the logoff command was controlled by this setting in the file SplunkImporter.exe.config:

<add key="Splunk.Authentication.DoLogoff" value="False" />

With 6.5.4, this setting is now controlled in the data source query editor page. This setting is enabled by default, which may differ from the value set in the configuration file used with older versions of the importer.


Release : 6.5.4

Component :


This error can be addressed by either adding the privilege edit_httpauths to the API user account in Splunk, or by disabling the logoff command passed by the Splunk query in ICA.