Splunk User Behavior Analytics

Splunk users getting logged out repeatedly while they are actively using dashboard

Jugabanhi
Explorer

Hi All,

Splunk users are repeatedly shown as "Your session expired. Log in to return to the system", while they are actively using splunk. Suggested them to clear cache, but is of no use. This is really frustrating for them as a user point of view.

I have 60min specified already in server.conf and web.conf

Could you please help me to get into the solution.

Regards,

Jugabanhi

Labels (2)

inventsekar
SplunkTrust
SplunkTrust

Hi @Jugabanhi not sure of this issue.. only Splunk Support can help us on these situations. could you please follow up with Splunk Support and after your issue got resolved, maybe you could update your solution here, for future reference. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Jugabanhi more details needed please..

- is this a new install? 

- are there any new upgrades recently?

- the users authentication, is it LDAP? 

 

to troubleshoot further...

There are three timeout settings:

  • The splunkweb session timeout.
  • The splunkd session timeout.
  • The browser session timeout.

If, for some reason, you need to set the timeouts for splunkweb and splunkd to different values, you can do so by editing their underlying configuration files, web.conf (tools.sessions.timeout setting) and server.conf (sessionTimeout setting). 

For example:

$SPLUNK_HOME/etc/system/local/server.conf -

[general]
sessionTimeout = 3h

$SPLUNK_HOME/etc/system/local/web.conf -

[settings]
tools.sessions.timeout = 180

- Could you please try to find out your splunk's splunkweb timeout and splunkd timeout(you said splunkweb timeout as 60mins,.. is splunkd timeout also same, pls doublecheck that)

- pls check with system admins and find out the browsers timeout

these values will help us analyze the problem further. 

https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Configureusertimeouts

 

Best Regards,

Sekar

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Jugabanhi
Explorer

Hi @inventsekar ,

No, its not a new install, have been upgraded to 8.1 and having LDAP authentication.

However, checked the below:

tools.sessions.timeout = 60

ui_inactivity_timeout = 60

and

sessionTimeout=1h

in /system/default/web.conf and /system/default/server.conf

In system/local , these parameters are not mentioned.

 

Regards,

Jugabanhi

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi,.. may i know if you faced this issue or users reported this issue to you? (at times the users exaggerate the small issues).

please check the users login/logout times

index=_internal file=login OR file=logout

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Jugabanhi
Explorer

Hi @inventsekar ,

Thank you for your reply, I have checked with the query that you have provided and found only login events and session timeout happening. It is happening to user and they are not exaggerating this as  I can see multiple times they have been forcefully logged out in middle of their activity.

Regards,

Jugabanhi

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...