
Troubleshoot ACS error messages
The table lists common ACS API error messages and suggested troubleshooting steps you can take to investigate and resolve these issues.
Feature | Error message | Troubleshooting steps |
---|---|---|
All ACS endpoints | 403-forbidden: operation not supported for splunk stack, please refer to the API documentation for limitations and more detail |
Check ACS feature compatibility with your Splunk Cloud Platform deployment Experience. See ACS compatibility matrix. |
403-forbidden: operation not supported for splunk version, please refer to the API documentation for limitations and more detail |
Check ACS feature compatibility with your Splunk Cloud Platform deployment version. See ACS compatibility matrix. | |
404-stack-not-found |
Make sure stack name is correct. Each Splunk Cloud Platform deployment is identified by the stack-name , which is the prefix of the deployment's URL. For example, if your deployment's URL is "https://my-company-name.splunkcloud.com" the stack-name is "my-company-name".
| |
500-internal-server-error |
Check if stack has a search head. ACS does not work on a single instance. | |
401-unauthorized: call not properly authenticated |
Possible causes:
| |
401-unauthorized","message":"failed to parse token |
Possible causes:
| |
409-object-already-exists |
An object with the same name already exists. To update the object, use PATCH or PUT based on the specific ACS API feature. | |
Configure IP allow lists | 400-bad-request cannot remove all access to stack's <feature> |
This check prevents users from removing all subnets for a certain feature. It ensures there's at least one subnet, preventing users from cutting off all access to their stack for ingestion. |
400-bad-request missing access feature parameter |
You must specify the {feature} parameter with the ACS request, for example search-api , hec ,s2s , and so on. For more information, see Determine IP allow list use case.
| |
400-bad-request subnet overlaps splunk's reserved IP blocks |
Refer to Splunk Cloud Platform's reserved IP block: "54.147.174.149/32" | |
400-bad-request cannot delete splunk's reserved subnet
| ||
Configure outbound ports | 400-bad-request invalid port number provided. Please retry with a port number within range 1-65535 |
Determine correct port number and try again with a port number between 1-65535. |
Manage HTTP Event Collector (HEC) tokens | 404-hec-not-found |
If returned by GET request after creating new hec-token, token creation is still in progress. It might take a few minutes for hec-token creation process to complete. Repeat GET request until status code is 200. |
Manage indexes | 403-forbidden internal index names cannot be used |
Refer to list of internal indexes: "Main" |
403-forbidden internal index names cannot be deleted
| ||
400-bad-request internal index names are not allowed for defaultIndex
| ||
404-index-not-found |
If returned by GET request after creating new index, index creation is still in progress. It might take a few minutes for the index creation process to complete. Repeat GET request until status code is 200. | |
Manage private apps | 400-bad-request This app has failed AppInspect validation |
Possible causes:
|
400-bad-request "message":"AppUpload_InspectValidation: Unable to retrieve AppInspect validation result. Try again later. |
Possible causes:
| |
400-bad-request Extract app information from the package failed |
Possible causes:
| |
Web Application Firewall (WAF) related errors | 403-forbidden |
A 403 response with awselb in response header indicates the request was blocked by WAF. Possible fixes:
If still blocked, contact Splunk Support for assistance. |
For further assistance with ACS errors, contact Splunk Support.
PREVIOUS Administer Splunk Cloud Platform using the ACS CLI |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.2.2111, 8.2.2112, 8.2.2201 (latest FedRAMP release), 8.2.2202, 8.2.2203
Feedback submitted, thanks!