Has anyone else been getting logged out of splunk in only a few minutes, regardless of the settings for session timeout?
I'm using splunk 4.1.3/4 and firefox 3.6.8 but this problem has been around since version 4 came out. It's driving me nuts. I don't like IE but it doesn't do this at least.
I can't be the only person this is happening to surely!
Yes, you're not crazy. I get 'logged out' sometimes every 5 minutes, sometimes only every 15 minutes. Many different splunk versions, on linux and windows, on both firefox and chrome. I've reported it to several people but I havent heard any updates. I always just hack the JS source to turn off the part where it sends you to /login when it gets a 401. See my answer below.
Yes, this happens constantly for me on Firefox on windows, on multiple splunk servers. It logs me out every 5 minutes or so depending somewhat on the system load. I reported it to support and the UI team a few weeks ago and I think they filed or reopened the relevant bug but I also think maybe they were waiting for someone else to report it as well.
Essentially how this goes (and I reported this in the bug too) is that on one of the slower HTTP requests, either the POST to dispatch or the POST to control, cherrypy will give back a 401. As far as I can tell from request headers there's no reason why cherrypy should give back a 401 but it does (header, session id everything seems to be passed totally correctly). This 401 trips the cross site request forgery logic in jquery_csrf_protection.js, which kicks you out to login.
You arent actually being logged out, it just kicks you to login. For instance if you use your back button you'll be back on the main page and you're still fine.
Long ago I just edited the source code to not redirect anymore so I could get some work done. (I made it broadcast a message instead so I could still see that it's happening constantly)
If you want to edit that line yourself, it's in $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/js/splunk.jquery.csrf_protection.js
, around line 57. Comment out the line that starts with 'document.location'
Also, it's a bit harder to reproduce the bug on Google Chrome, and either much much harder or completely impossible to reproduce on Internet Explorer.
Please please please
do not use "#" as line comment in javascript file
use "//"
Any chance you have multiple tabs open to Splunk Web? This is a common cause of the symptoms you describe - one tab has an expired session, and causes odd behavior with the rest.
Nope, never do this. I generally have one tab open for my splunk session, one or more open on splunk.com looking things up 🙂
It was an erratic problem with Solaris in Splunk 4.1.3 and earlier, but should have been resolved as of 4.1.4. If it is still happening, please open a case with Splunk Support. You might reference bug SPL-24389.
I have a user complaining of a similar issue in 4.1.3 but we aren't running Solaris. I will see if updating resolves the issue for us.
Will do this now. It just did it again...