Splunk Enterprise

Splunk cannot authenticate the request. CSRF validation failed.

tomasnelson
Explorer

i tray to install splunk light new version and it looks good the installation, but when i tray to sing and change the default password i get this error:
Splunk cannot authenticate the request. CSRF validation failed.

When i tray to change http to https configuration i get this error:
Your entry was not saved. The following error was reported: SyntaxError: Unexpected token < in JSON at position 0.

in the log i get this error.
10-12-2017 19:35:29.532 -0500 ERROR UiAuth - Request from 10.1.94.11 to "/en-GB/splunkd/__raw/servicesNS/admin/search/search/jobs" failed CSRF validation -- expected "17589544990277644692", but instead cookie had "" and header had ""

someone know how to correct...??
thanks for the help.

Labels (2)
Tags (1)
1 Solution

maraman_splunk
Splunk Employee
Splunk Employee

you probably have a cookie in cache with parameters in conflict with your current splunk configuration (either because you reinstalled and it was http at a time or change some related settings which make the cookie like it could have been tampered by a attacker)
just remove cookies for that site from your browser cache and try again, that usually fix this kind of CRSF error message behavior.

View solution in original post

CSmoke
Path Finder

Thanks. Did not want to clear everything, so tried in-private mode which also seemed to let me complete ES install.

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

You may want to check this doc which suggests 2 X-headers are mandatory.

Cookie: splunkd_PORT=splunkd_cookie;splunkweb_csrf_token_PORT=csrf_token,
Content-type: application/json,
X-Requested-With: XMLHttpRequest,
X-Splunk-Form-Key: csrf_token

You will find more details in the doc below;

https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/SplunkAppforStreamRESTAPI
Or check this one as well;
https://answers.splunk.com/answers/772850/custom-api-endpoint-returning-csrf-error-on-post.html

jeffland
SplunkTrust
SplunkTrust

Thank you very much for this answer which solved my problem after googling revealed this thread. Any reason these are the docs for the Splunk App for Stream? I'm under the impression this is a Splunk Enterprise feature.

0 Karma

ddas_splunk
Splunk Employee
Splunk Employee

If you are experiencing this in Chrome and have a recent version of Chrome where the option to search for cookies by site seems to have been skillfully hidden leaving you with the option to nuke all your cookies (which you may not want to do) - then you can resolve the issue as follows ...

open chrome
enter the following into the address bar
chrome://settings/siteData
enter the host/splunk instance in the search bar to locate any cookies
delete

That should fix the issue. (Just did it myself for the same reason).

maraman_splunk
Splunk Employee
Splunk Employee

you probably have a cookie in cache with parameters in conflict with your current splunk configuration (either because you reinstalled and it was http at a time or change some related settings which make the cookie like it could have been tampered by a attacker)
just remove cookies for that site from your browser cache and try again, that usually fix this kind of CRSF error message behavior.

pbankar
Path Finder

I got the same error while loading a UI app and resolved after clearing the cache.
Thanks!!

0 Karma

tomasnelson
Explorer

THANKS A LOT!!!!

you answer resolved my problem...... 😃

very thankful

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...