Troubleshoot ACS error messages
The table lists common ACS API error messages and suggested troubleshooting steps you can take to investigate and resolve these issues.
Feature | Error message | Troubleshooting steps |
---|---|---|
All ACS endpoints | 401-unauthorized: call not properly authenticated
|
Possible causes:
|
401-unauthorized","message":"failed to parse token
|
Possible causes:
| |
403-forbidden: operation not supported for splunk stack, please refer to the API documentation for limitations and more detail
|
Check ACS feature compatibility with your Splunk Cloud Platform deployment Experience. See ACS compatibility matrix. | |
403-forbidden: insufficient permission(s) to perform this operation |
Check RBAC table to ensure the user has the right capability(s) to access the endpoint. See Required ACS capabilties. | |
403-forbidden: user does not have the required capability: [x] |
Check RBAC table to ensure the user has the right capability(s) to access the endpoint. See Required ACS capabilties. | |
403-forbidden: user does not have one of the required roles: [x1, x2] |
User must have one of the listed roles to access the endpoint. | |
404-stack-not-found |
Make sure stack name is correct. Each Splunk Cloud Platform deployment is identified by the stack-name , which is the prefix of the deployment's URL. For example, if your deployment's URL is "https://my-company-name.splunkcloud.com" the stack-name is "my-company-name".
| |
409-object-already-exists |
An object with the same name already exists. To update the object, use PATCH or PUT based on the specific ACS API feature. | |
500-internal-server-error |
Make sure your deployment has one or more separate search heads or a search head cluster. ACS is not supported on single instance deployments. | |
503-service-unavailable |
Multiple concurrent requests can cause the service to become unavailable. Retry your request at a later time. | |
424-failed-dependency: A deployment task is still in progress. Please try again later. |
On Classic Experience, if a previous POST/PUT/DELETE/PATCH request is in progress, subsequent requests cannot be made. Retry your request when previous request completes. See Retry failed operations in Splunk Cloud Platform. | |
Configure IP allow lists | 400-bad-request cannot remove all access to stack's <feature> |
This check prevents users from removing all subnets for a certain feature. It ensures there's at least one subnet, preventing users from cutting off all access to their stack for ingestion. |
400-bad-request missing access feature parameter |
You must specify the {feature} parameter with the ACS request, for example search-api , hec ,s2s , and so on. For more information, see Determine IP allow list use case.
| |
400-bad-request |
Make sure the aggregate number of IP subnet rules for the IP allowlist feature group (search heads, indexers, IDMs, or single instance) does not exceed 230. For more information, see IP allow list behavior and IP subnet limits. | |
400-bad-request subnet overlaps splunk's reserved IP blocks |
Refer to Splunk Cloud Platform's reserved IP block: "54.147.174.149/32" | |
400-bad-request cannot delete splunk's reserved subnet
| ||
Configure outbound ports | 400-bad-request invalid port number provided. Please retry with a port number within range 1-65535 |
Determine correct port number and try again with a port number between 1-65535. Not including ports 443, 9997, 2525. |
400-bad-request
| ||
Export apps | 503: App export feature is temporarily unavailable |
Indicates that app export endpoint has been temporarily disabled due to a known issue that can cause credential information to be overwritten. |
403-forbidden","message":"app export operation not supported for this splunk version. |
The specific version of Splunk Cloud Platform you are using does not support ACS app export. To request an upgrade to a version that supports ACS app export, contact Splunk Support. To find the current Splunk Cloud Platform version, in Splunk Web, select Support & Services, then select About. | |
Manage app permissions | 404-app-not-found: {app} app not found |
User inputted a nonexistent app or user's role does not have read permission. |
400-bad-request: Read or write permissions list may not be empty. |
User inputted an empty array as one of the arguments to PATCH. | |
400-bad-request: invalid role provided. |
User inputted an invalid role as an argument in PATCH. Role may be an existing role that the user does not have access to. | |
400-bad-request: Invalid roles set. * cannot include other roles. |
User inputted *, meaning all roles, alongside other roles to PATCH. Remove the duplicate roles. | |
400-bad-request: Invalid role set. Roles with write permission must have read permission. |
User inputted *, meaning all roles, alongside other roles to PATCH. Remove the duplicate roles. | |
Manage HTTP Event Collector (HEC) tokens | 404-hec-not-found |
If returned by GET request after creating new hec-token, token creation is still in progress. It might take a few minutes for hec-token creation process to complete. Repeat GET request until status code is 200. |
424-failed-dependency |
If returned after running an HEC token management operation, send a POST request to the deployment/retry endpoint to retry the failed operation. See Retry failed operations in Splunk Cloud Platform.
| |
Manage indexes | 403-forbidden internal index names cannot be used |
Refer to list of internal indexes: "Main" |
403-forbidden internal index names cannot be deleted
| ||
400-bad-request internal index names are not allowed for defaultIndex
| ||
404-index-not-found |
If returned by GET request after creating new index, index creation is still in progress. It might take a few minutes for the index creation process to complete. Repeat GET request until status code is 200. | |
Manage limits.conf configurations | 403-forbidden - not allowed to access stanza |
Specified limits.conf stanza is not supported by ACS. For more information on limits.conf error messages, see Manage limits.conf configurations. |
Manage private apps | 400-bad-request This app has failed AppInspect validation |
Possible causes:
|
400-bad-request "message":"AppUpload_InspectValidation: Unable to retrieve AppInspect validation result. Try again later. |
Possible causes:
| |
400-bad-request Extract app information from the package failed |
Possible causes:
| |
Manage Python version | 400-bad-request "message": "pythonVersion is invalid". |
Determine the correct Python version for your deployment. You can upgrade or downgrade the version using the ACS python-runtime endpoint. Supported Python versions: force_python3 , python3 , python3.7 , python3.9 , and python2 . See Manage Python versions in Splunk Cloud Platform.
|
Web Application Firewall (WAF) related errors | 403-forbidden |
A 403 response with awselb in response header indicates the request was blocked by WAF. Possible fixes:
If still blocked, contact Splunk Support for assistance. |
429-too-many-request |
Check the request rate. How many requests are you sending? Have you exceeded the rate limit of 300 reqs/min? |
For further assistance with ACS errors, contact Splunk Support.
Administer Splunk Cloud Platform using the ACS CLI |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!