How to block connectivity to Splunk Web on multipl...

KwonTaeHoon · ‎10-06-2022

Hello

Multiple PCs can access the same ID when connecting the web to the splunk.

Even if I connect to multiple PCs with the same ID, I only keep the last session I accessed, and the PCs I logged in to before are looking for a way to disconnect the session I accessed.

In a single instance, the session could be cut off as follows.

./splunk _internal call "/services/authentication/httpauth-tokens/[SESSION_ID]" -method DELETE

The above SESSION_ID used the other field value of the splunk ui access log.

However, this method does not work in a search header cluster.

Can I have a search header cluster maintain only the last session I accessed when connecting from multiple PCs with the same ID?

I look forward to hearing from you.

johnhuang · ‎10-06-2022

I don't fully understand your objective but it sounds like you have an issue where the previous machines you've logged into are maintaining active sessions with Splunk Web? If that's the case, I think you should look into configuring user session inactivity timeout and set it to 15 minutes.

https://docs.splunk.com/Documentation/Splunk/8.2.8/Admin/Configureusertimeouts

KwonTaeHoon · ‎10-06-2022

My goal is to prevent multiple IPs from maintaining access with the same ID and to keep only the last logged-in session.

How to block connectivity to Splunk Web on multiple PC's?

login

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...