The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.
I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.
Because there is no login page in free license, so first time i view ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser will be redirected to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard. Next, i relocated to ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view ｈｔｔｐ://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard many times.
From firebug, i got the following 2 kinds of responses for "401 unauthorized":
1) Splunk cannot authenticate the request. CSRF validation failed.
2) No permission -- see authorization schemes
when i requested the following addresses
I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?
Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible.
I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug.