401 Unauthorized! Why?

Path Finder

The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.

I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.

Because there is no login page in free license, so first time i view http://myip/splunk/en-US/app/mysearch, the browser will be redirected to http://myip/splunk/en-US/app/search/dashboard. Next, i relocated to http://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view http://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to http://myip/splunk/en-US/app/search/dashboard many times.

From firebug, i got the following 2 kinds of responses for "401 unauthorized":

1) Splunk cannot authenticate the request. CSRF validation failed.

2) No permission -- see authorization schemes

when i requested the following addresses

a) http://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false

b) http://myip/splunk/en-US/api/search/jobs?auto_cancel=90&earliest_time=-4h%40h&latest_time=now&namespace=mysearch&search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&status_buckets=0&ui_dispatch_app=mysearch&ui_dispatch_view=dashboard2

c) http://myip/splunk/en-US/api/messages/index.

d) .......

I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?

Thanks & Best Regards.


Tags (1)


Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible.

I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug.

Splunk Employee
Splunk Employee

my non-answer suggestions, hopefully someone else will know more:

  • investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values.
  • use some sort of sniffer to see the http headers provided for the working and nonworking requests.
  • get a baseline with splunk/en-US/debug/echo
0 Karma