Splunk importer job fails with error SplunkApi.Logoff() Error while executing Logoff
search cancel

Splunk importer job fails with error SplunkApi.Logoff() Error while executing Logoff

book

Article ID: 200397

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

After upgrading ICA to version 6.5.4, Splunk data source IW jobs fail and return any of the following errors captured in the SplunkImporterSplunkResultsDriven.log files:

[1:ERROR] SplunkApi.Logoff() Error while executing Logoff

[1:ERROR] Program.Main() Splunk.Client.UnauthorizedAccessException: 403: Forbidden

Error: You (user=username) do not have permission to perform this operation (requires capability: edit_httpauths).

Environment

Release : 6.5.4

Component : Splunk Import Utility

Cause

This error is returned when the Splunk API user lacks the privilege edit_httpauths on the Splunk server.

In ICA 6.5.3.0 and earlier versions, the logoff command was controlled by this setting in the file SplunkImporter.exe.config:

<add key="Splunk.Authentication.DoLogoff" value="False" />

With 6.5.4, this setting is now controlled in the data source query editor page. This setting is enabled by default, which may differ from the value set in the configuration file used with older versions of the importer.

Resolution

This error can be addressed by either adding the privilege edit_httpauths to the API user account in Splunk, or by disabling the logoff command passed by the Splunk query in ICA.

Powered by Wolken Software