Solved: Splunk cannot authenticate the request. CSRF valid...

tomasnelson · ‎10-12-2017

i tray to install splunk light new version and it looks good the installation, but when i tray to sing and change the default password i get this error:
Splunk cannot authenticate the request. CSRF validation failed.

When i tray to change http to https configuration i get this error:
Your entry was not saved. The following error was reported: SyntaxError: Unexpected token < in JSON at position 0.

in the log i get this error.
10-12-2017 19:35:29.532 -0500 ERROR UiAuth - Request from 10.1.94.11 to "/en-GB/splunkd/__raw/servicesNS/admin/search/search/jobs" failed CSRF validation -- expected "17589544990277644692", but instead cookie had "" and header had ""

someone know how to correct...??
thanks for the help.

maraman_splunk · ‎10-12-2017

you probably have a cookie in cache with parameters in conflict with your current splunk configuration (either because you reinstalled and it was http at a time or change some related settings which make the cookie like it could have been tampered by a attacker)
just remove cookies for that site from your browser cache and try again, that usually fix this kind of CRSF error message behavior.

View solution in original post

CSmoke · ‎07-13-2021

Thanks. Did not want to clear everything, so tried in-private mode which also seemed to let me complete ES install.

sylim_splunk · ‎10-11-2019

You may want to check this doc which suggests 2 X-headers are mandatory.

Cookie: splunkd_PORT=splunkd_cookie;splunkweb_csrf_token_PORT=csrf_token,
Content-type: application/json,
X-Requested-With: XMLHttpRequest,
X-Splunk-Form-Key: csrf_token

You will find more details in the doc below;

https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI
Or check this one as well;
https://answers.splunk.com/answers/772850/custom-api-endpoint-returning-csrf-error-on-post.html

jeffland · ‎05-07-2020

Thank you very much for this answer which solved my problem after googling revealed this thread. Any reason these are the docs for the Splunk App for Stream? I'm under the impression this is a Splunk Enterprise feature.

ddas_splunk · ‎04-19-2019

If you are experiencing this in Chrome and have a recent version of Chrome where the option to search for cookies by site seems to have been skillfully hidden leaving you with the option to nuke all your cookies (which you may not want to do) - then you can resolve the issue as follows ...

open chrome
enter the following into the address bar
chrome://settings/siteData
enter the host/splunk instance in the search bar to locate any cookies
delete

That should fix the issue. (Just did it myself for the same reason).

maraman_splunk · ‎10-12-2017

you probably have a cookie in cache with parameters in conflict with your current splunk configuration (either because you reinstalled and it was http at a time or change some related settings which make the cookie like it could have been tampered by a attacker)
just remove cookies for that site from your browser cache and try again, that usually fix this kind of CRSF error message behavior.

pbankar · ‎01-13-2019

I got the same error while loading a UI app and resolved after clearing the cache.
Thanks!!

tomasnelson · ‎10-13-2017

THANKS A LOT!!!!

you answer resolved my problem...... 😃

very thankful

Splunk cannot authenticate the request. CSRF validation failed.

configuration

installation

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...