Splunk User Behavior Analytics
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk users getting logged out repeatedly while they are actively using dashboard

Jugabanhi
Explorer
‎07-01-2021 11:09 PM

Hi All,

Splunk users are repeatedly shown as "Your session expired. Log in to return to the system", while they are actively using splunk. Suggested them to clear cache, but is of no use. This is really frustrating for them as a user point of view.

I have 60min specified already in server.conf and web.conf

Could you please help me to get into the solution.

Regards,

Jugabanhi

Labels (2)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-11-2021 05:58 AM

Hi @Jugabanhi not sure of this issue.. only Splunk Support can help us on these situations. could you please follow up with Splunk Support and after your issue got resolved, maybe you could update your solution here, for future reference. thanks. 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-02-2021 05:35 PM

Hi @Jugabanhi more details needed please..

- is this a new install? 

- are there any new upgrades recently?

- the users authentication, is it LDAP? 

 

to troubleshoot further...

There are three timeout settings:

  • The splunkweb session timeout.
  • The splunkd session timeout.
  • The browser session timeout.

If, for some reason, you need to set the timeouts for splunkweb and splunkd to different values, you can do so by editing their underlying configuration files, web.conf (tools.sessions.timeout setting) and server.conf (sessionTimeout setting). 

For example:

$SPLUNK_HOME/etc/system/local/server.conf -

[general]
sessionTimeout = 3h

$SPLUNK_HOME/etc/system/local/web.conf -

[settings]
tools.sessions.timeout = 180

- Could you please try to find out your splunk's splunkweb timeout and splunkd timeout(you said splunkweb timeout as 60mins,.. is splunkd timeout also same, pls doublecheck that)

- pls check with system admins and find out the browsers timeout

these values will help us analyze the problem further. 

https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Configureusertimeouts

 

Best Regards,

Sekar

Reply

Jugabanhi
Explorer
‎07-05-2021 05:46 AM

Hi @inventsekar ,

No, its not a new install, have been upgraded to 8.1 and having LDAP authentication.

However, checked the below:

tools.sessions.timeout = 60

ui_inactivity_timeout = 60

and

sessionTimeout=1h

in /system/default/web.conf and /system/default/server.conf

In system/local , these parameters are not mentioned.

 

Regards,

Jugabanhi

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-02-2021 12:25 AM

Hi,.. may i know if you faced this issue or users reported this issue to you? (at times the users exaggerate the small issues).

please check the users login/logout times

index=_internal file=login OR file=logout

 

Reply

Jugabanhi
Explorer
‎07-02-2021 12:54 AM

Hi @inventsekar ,

Thank you for your reply, I have checked with the query that you have provided and found only login events and session timeout happening. It is happening to user and they are not exaggerating this as  I can see multiple times they have been forcefully logged out in middle of their activity.

Regards,

Jugabanhi

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...