Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Disconnecting from Splunk Web

mello920
Path Finder
‎04-29-2022 11:29 AM

Hello,

Does anyone have any idea why this keeps occuring? It happens to me about every 10 minutes. The session timeout is set to 60 minutes. We use SAML with Okta for authentication. I asked the Okta personnel and they said they have a 2 hour time out session. 

Disconnecting from Splunk.png

 

Any help is greatly appreciated!

V/r,

mello920

Labels (2)
0 Karma
Reply

ChrisW-TX
Loves-to-Learn Lots
‎09-15-2022 02:31 PM

I have a similar issue to this, the exact same behavior as above for a Centrify SAML authenticated Splunk instance, however it happens at 15 minutes on the dot whether you're using the session or not.  Non-SAML Splunk Web sessions don't have this issue.  If you try to do anything in the window as shown above, like refresh, you get an ugly error from the Centrify Connector:

ChrisWTX_0-1663277333391.png

Of course we've engaged Centrify/Delinea but they aren't convinced it's not a problem on Splunk side.  I've verified Splunk is not restarting and there is no timeout or TTL setting I can find that equates to 15 minutes.  Also can't find any events concerning the disconnect in internal Splunk logs or ingested Delinea logs.

Unfortunately this behavior makes our users reluctant to rely on the SAML Sessions.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-01-2022 01:19 AM

@mello920 - I personally have encountered this only when I'm restarting the Splunk service.

Can you please check your Splunk internal logs to see if your Splunk service is getting restarted or not?

index=_* (stop* OR start* OR clos* OR shut OR flush*)

(Please also specify host=<your-SH-host>, to improve the search.)

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...