Splunk User Behavior Analytics

Splunk users getting logged out repeatedly while they are actively using dashboard

Jugabanhi
Explorer

Hi All,

Splunk users are repeatedly shown as "Your session expired. Log in to return to the system", while they are actively using splunk. Suggested them to clear cache, but is of no use. This is really frustrating for them as a user point of view.

I have 60min specified already in server.conf and web.conf

Could you please help me to get into the solution.

Regards,

Jugabanhi

Labels (2)

inventsekar
Ultra Champion

Hi @Jugabanhi not sure of this issue.. only Splunk Support can help us on these situations. could you please follow up with Splunk Support and after your issue got resolved, maybe you could update your solution here, for future reference. thanks. 

0 Karma

inventsekar
Ultra Champion

Hi @Jugabanhi more details needed please..

- is this a new install? 

- are there any new upgrades recently?

- the users authentication, is it LDAP? 

 

to troubleshoot further...

There are three timeout settings:

  • The splunkweb session timeout.
  • The splunkd session timeout.
  • The browser session timeout.

If, for some reason, you need to set the timeouts for splunkweb and splunkd to different values, you can do so by editing their underlying configuration files, web.conf (tools.sessions.timeout setting) and server.conf (sessionTimeout setting). 

For example:

$SPLUNK_HOME/etc/system/local/server.conf -

[general]
sessionTimeout = 3h

$SPLUNK_HOME/etc/system/local/web.conf -

[settings]
tools.sessions.timeout = 180

- Could you please try to find out your splunk's splunkweb timeout and splunkd timeout(you said splunkweb timeout as 60mins,.. is splunkd timeout also same, pls doublecheck that)

- pls check with system admins and find out the browsers timeout

these values will help us analyze the problem further. 

https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Configureusertimeouts

 

Best Regards,

Sekar

Jugabanhi
Explorer

Hi @inventsekar ,

No, its not a new install, have been upgraded to 8.1 and having LDAP authentication.

However, checked the below:

tools.sessions.timeout = 60

ui_inactivity_timeout = 60

and

sessionTimeout=1h

in /system/default/web.conf and /system/default/server.conf

In system/local , these parameters are not mentioned.

 

Regards,

Jugabanhi

0 Karma

inventsekar
Ultra Champion

Hi,.. may i know if you faced this issue or users reported this issue to you? (at times the users exaggerate the small issues).

please check the users login/logout times

index=_internal file=login OR file=logout

 

Jugabanhi
Explorer

Hi @inventsekar ,

Thank you for your reply, I have checked with the query that you have provided and found only login events and session timeout happening. It is happening to user and they are not exaggerating this as  I can see multiple times they have been forcefully logged out in middle of their activity.

Regards,

Jugabanhi

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...