Disconnecting from Splunk Web

mello920 · ‎04-29-2022

Hello,

Does anyone have any idea why this keeps occuring? It happens to me about every 10 minutes. The session timeout is set to 60 minutes. We use SAML with Okta for authentication. I asked the Okta personnel and they said they have a 2 hour time out session.

Any help is greatly appreciated!

V/r,

mello920

ChrisW-TX · ‎09-15-2022

I have a similar issue to this, the exact same behavior as above for a Centrify SAML authenticated Splunk instance, however it happens at 15 minutes on the dot whether you're using the session or not. Non-SAML Splunk Web sessions don't have this issue. If you try to do anything in the window as shown above, like refresh, you get an ugly error from the Centrify Connector:

Of course we've engaged Centrify/Delinea but they aren't convinced it's not a problem on Splunk side. I've verified Splunk is not restarting and there is no timeout or TTL setting I can find that equates to 15 minutes. Also can't find any events concerning the disconnect in internal Splunk logs or ingested Delinea logs.

Unfortunately this behavior makes our users reluctant to rely on the SAML Sessions.

VatsalJagani · ‎05-01-2022

@mello920 - I personally have encountered this only when I'm restarting the Splunk service.

Can you please check your Splunk internal logs to see if your Splunk service is getting restarted or not?

index=_* (stop* OR start* OR clos* OR shut OR flush*)

(Please also specify host=<your-SH-host>, to improve the search.)

I hope this helps!!!

Disconnecting from Splunk Web

troubleshooting

using Splunk Enterprise

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases