I noticed the following item in 4.1.4' change logs Consistent redirect to login page when running searches in Splunk Web. (SPL-31268) , but i always ran into consistent redirection sometimes in my application in 4.1.4, and i do not know if it is because of the apache proxy in front of it. Any one can help? Thanks, *** UPDATE *** Hi Simeon, Thanks for your answer, i post some logs below. I do not know if it is because of the following reason that a colleague who is in the USA and me in China using splunk with the same user -- admin. Different browsers ,different timezones, same user, sessiontimeout is set to 24 hours, ......, which i guess may be the reason for the consistent redirect. Any opinions about this? Thanks, 2010-08-16 14:06:04,482 WARNING [4c6929ac7a16c8d4d0] decorators:86 - CSRF: validation failed because client XHR did not include proper header 2010-08-16 14:06:04,482 INFO [4c6929ac7a16c8d4d0] decorators:87 - CSRF: clientSession=fe890db10b4f24d7bfa37e020b512432f33ad4c0 serverSession=0d8bdbe313994f239849d103d8756645884d2318 2010-08-16 14:06:04,482 WARNING [4c6929ac7a16c8d4d0] decorators:91 - CSRF: skipping 401 redirect response because endpoint did not request protection 2010-08-16 14:06:04,482 ERROR [4c6929ac7a16c8d4d0] utility:59 - name=javascript, class=Splunk.Error, lineNumber=0, message=uncaught exception: [Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXMLHttpRequest.status]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: http://192.168.18.192/splunk/en-US/static/@82143/js/splunk.jquery.csrf_protection.js :: anonymous :: line 56" data: no], fileName= 2010-08-16 14:06:05,829 INFO [4c6929add316c8d7d0] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments 2010-08-16 14:06:06,465 INFO [4c6929add316c8d7d0] view:1228 - PERF - viewTime=0.5841s templateTime=0.0518s ...... 2010-08-17 11:21:49,686 INFO [4c6a54acfa16c5a710] view:1228 - PERF - viewTime=0.653s templateTime=0.0527s 2010-08-17 11:22:06,684 WARNING [4c6a54beae16cb8090] decorators:86 - CSRF: validation failed because client XHR did not include proper header 2010-08-17 11:22:06,684 INFO [4c6a54beae16cb8090] decorators:87 - CSRF: clientSession=ab55c1eb9a93ce39fdb1d4aa80bd3905f03c9006 serverSession=e7bc65fc4aed53ade97d43acad7fa3e7c72c1a65 2010-08-17 11:22:10,127 WARNING [4c6a54c22016db15d0] decorators:86 - CSRF: validation failed because client XHR did not include proper header 2010-08-17 11:22:10,128 INFO [4c6a54c22016db15d0] decorators:87 - CSRF: clientSession=ab55c1eb9a93ce39fdb1d4aa80bd3905f03c9006 serverSession=61586a244fac9d3196010ab21f8225df832d0884 2010-08-17 11:22:10,951 INFO [4c6a54c2f216cb8b90] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments 2010-08-17 11:22:12,771 INFO [4c6a54c4c216dc0ad0] _cplogging:55 - [17/Aug/2010:11:22:12] HTTP Request Headers: X-FORWARDED-SERVER: netsee-qa.reston.prod REFERER: http://192.168.18.192/netsee/develop/developing.jsp ACCEPT-LANGUAGE: zh-cn,zh;q=0.5 HOST: 192.168.18.190:8087 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ACCEPT-CHARSET: GB2312,utf-8;q=0.7,*;q=0.7 USER-AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729) CONNECTION: Keep-Alive COOKIE: skin=treeview; ac_pas_locale_timezone=en#5fUS#7cEastern#20Standard#20Time; session_id_8087=e8c541c38fd090b3f1f8d5465d5aeec7c4f016f8 Remote-Addr: 192.168.18.192 X-FORWARDED-HOST: 192.168.18.192 X-FORWARDED-FOR: 10.3.6.142 ACCEPT-ENCODING: gzip,deflate 2010-08-17 11:22:12,772 DEBUG [4c6a54c4c216dc0ad0] _cplogging:55 - [17/Aug/2010:11:22:12] HTTP Traceback (most recent call last): ....... File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/__init__.py", line 168, in make_url return util.make_url(*a, **kw) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/util.py", line 223, in make_url raise InvalidURLException("Illegal characters in URL") InvalidURLException: Illegal characters in URL 2010-08-17 11:22:14,731 INFO [4c6a54c6ba16b8b810] decorators:301 - require_login - no splunkd sessionKey variable set; cherrypy_session=7e3a99b37d3baacc79d7e2e6111d92bdfa7fc244 request_path=/en-US/app/search/dashboard 2010-08-17 11:22:14,732 INFO [4c6a54c6ba16b8b810] decorators:308 - require_login - redirecting to login ...... 2010-08-19 16:15:48,042 INFO [4c6d3c92da16cb8a90] view:1228 - PERF - viewTime=0.6174s templateTime=0.5697s 2010-08-19 16:15:58,251 INFO [4c6d3c9e3f16cb8810] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments 2010-08-19 16:15:58,781 WARNING [4c6d3c9e3f16cb8810] viewstate:133 - Found invalid keyname in viewstate stanza: disabled 2010-08-19 16:15:58,901 WARNING [4c6d3c9e3f16cb8810] __opt_splunk_share_splunk_search_mrsparkle_modules_results_page_controls_Count_html:63 - No count assigned; reverting to first value in drop down 2010-08-19 16:15:58,912 INFO [4c6d3c9e3f16cb8810] view:1228 - PERF - viewTime=0.5795s templateTime=0.0818s 2010-08-19 16:16:33,427 INFO [4c6d3cc16c16cc5cd0] decorators:301 - require_login - no splunkd sessionKey variable set; cherrypy_session=3db678c055beddf6a321a162fe1959dfd1d9f7c2 request_path=/en-US/api/messages/index 2010-08-19 16:16:33,428 INFO [4c6d3cc16c16cc5cd0] decorators:305 - require_login - is api/XHR request, raising 401 status 2010-08-19 16:17:12,205 WARNING [4c6d3ce83315969c50] decorators:86 - CSRF: validation failed because client XHR did not include proper header 2010-08-19 16:17:12,206 INFO [4c6d3ce83315969c50] decorators:87 - CSRF: clientSession=21c5b6e29d9ebded1cc45a4ef495de1bdbb7c3f1 serverSession=74dd0a59bb07c95bd6763c12506a2d995338974e 2010-08-19 16:17:12,322 WARNING [4c6d3ce85216cc5090] decorators:86 - CSRF: validation failed because client XHR did not include proper header 2010-08-19 16:17:12,323 INFO [4c6d3ce85216cc5090] decorators:87 - CSRF: clientSession=21c5b6e29d9ebded1cc45a4ef495de1bdbb7c3f1 serverSession=a48048cf69e412e00d34dcee51aaaba8116c5bb7 2010-08-19 16:17:16,894 INFO [4c6d3cece41721ef10] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments 2010-08-19 16:17:17,678 INFO [4c6d3cedac172e2110] cached:69 - memoized decorator used on function <function getEntities at 0x15f8e5f0> with non hashable arguments ... View more

Hi, I want to embed some pages in my application. Everything is Ok except when i want to add the following one(using a view to render a saved search). Any one can help, thanks. http://ip/splunk/en_US/account/insecurelogin?username=admin&password=changeme&return_to=/splunk/en-US/app/search/realtime?s=Live Tail Dianbo ... View more

Hi, In my application, i use a file to store problems: when happen and when resolve. When a problem happen, more that one device will find it and record the information. But when a problem is solved, just one message is written to that log file. For example, a segment of the log file is as the following: 2010/07/01 08:01:00 AAA [err] complains "can not find the apple 0001" 2010/07/01 08:01:00 BBB [err] complains "apple 0001 is not there" 2010/07/01 08:01:01 CCC [err] complains "apple 0001 is moved to a new place" ...... 2010/07/01 08:02:00 Main[info] broadcasts "apple 0001 is placed to the right place" Now, I want to get those unresolved problems. I used transaction to do this before, and use startwith="can not find " OR "is not there" OR "is moved to a new place". But just as in the example, the first event ("can not find the apple 0001") is treated as an unresolved problem. Any questions for this question? Thanks & Regards, Dianbo ... View more

Hi, I want to gererate a pie chart, and use the following lines. But I find some options are useless. legend.placement=top. There is no legend in the chart. charting.sliceCollapsingThreshold=0.2. It always uses the default value 0.01. charting.sliceCollapsingLabel=Other User. It displays the dafault value "Other". Is this a bug or i missed something? Is the option name in advanced view "charting. XXXX" or "charting.PieChart.XXXX"? Thanks & Regards, Dianbo <module name="HiddenSearch" autoRun="False" layoutPanel="panel_row2_col1"> <param name="search">index="loglog" | stats count by user | sort -count </param> <module name="HiddenChartFormatter"> <param name="chart">pie</param> <param name="primaryAxisTitle.text">Pie Chart Test</param> <param name="secondaryAxisTitle.text">Count</param> <param name="legend.placement">top</param> <param name="charting.sliceCollapsingThreshold">0.2</param> <param name="charting.sliceCollapsingLabel">AAAAA</param> <module name="JobProgressIndicator"/> <module name="FlashChart"> <param name="width">100%</param> <param name="height">400px</param> <module name="ConvertToDrilldownSearch"> <module name="ViewRedirector"> <param name="popup">True</param> <param name="viewTarget">ipop_advanced_search_all</param> </module> </module> </module> </module> </module> ... View more

Hi, There are several questions about timezone configuration. I know that splunk use the timezone information in raw event data first. But what kinds of timezone string can be used. In my test, CET, EDT, PST, GMT and GMT+0700 can be recognized, but Asia/Yerevan and Europe/Berlin can not be. How to set splunk's global timezone to a value that different from system's. For example, the timezone of server is GMT, then how to set splunk's global timezone to GMT+0100. If Splunk use system's timezone to get its time information, will it change correspondingly if the system's timezone is changed. How to display timezone information in the time column of the EventsViewer module in flashtimeline? How to specified timezone information when search in splunk web? We have a old syslog log analysis application which used to deal with log files in USA. Now we want to move all log datas to a splunk installed in a server in Deutschland. We specified timezone information in props.conf, so the times are changed to Deutsch time. But it is inconvenient for the users to change times by timezone when search in the splunk web (They should change the time string to Deutsch time before a search rather than search directly). Thanks & Best Regards, Dianbo ... View more

Hi, I want to customize a form search as it described in http://www.splunk.com/base/Documentation/latest/Developer/TableChartDrilldown. It has a input text element "username" in the form, and after clicking the ">" button, it gererates a table. Then, i want to add a "HiddenSearch" module between "SimpleResultsTable" and "ConvertToDrilldownSearch" to customize the drilldown search. In "HiddenSearch", i use $username$ to define its search parameter. But the value i input in the text box can not be transferred to this internal "HiddenSearch". Can anyone give me some suggestions about this? Thanks, Dianbo ... View more

Hi, I has a form search with a tabswitcher to show the result in 4 tabs. I set autoRun="False" to all modules to disable default autoRun. It's OK when the page loads at the first time, but when i click other tab, it will autoRun. Can anyone tell me how to disable autoRun when switching tabs before clicking ">" button. Thanks, Dianbo ... View more

Hi, There are login messages and logout messages in the log files. I want to get those users who have not been logout. My search is: host="trantest" | transaction user,sessionid startswith="loginmessage" endswith="logoutmessage" keepevicted=true It should return all transactions containing just have start event just have end event have both start event and end event But I just get 2) and 3), and i can not get those transactions just have start event. Any suggestions about transaction usage or any other way of getting users have not logout? Thanks & Best regards. Dianbo ... View more

Hi, I cloned an application mysearch from search, and created 2 dashboards --- dashboard1 and dashboard2. Now, i was browsing dashboard1, but when i clicked the menu in navigator bar to change to dashboard2, i was kicked out to search/dashboard. From firebug, i got the following "303 see other" tracking list. get dashboard2(http://10.3.1.156/splunk/en-US/app/ipop_search/dashboard_ISIS) 303 see other get login?return_to=%...(http://10.3.1.156/splunk/en-US/account/login?return_to=%2Fsplunk%2Fen-US%2Fapp%2Fmysearch%2Fdashboard2) 303 see other get search(http://10.3.1.156/splunk/en-US/app/search) 303 see other get dashboard(http://10.3.1.156/splunk/en-US/app/search/dashboard) 200 OK ....... Can anyone give me some suggestions about how to avoid the redirection? Thanks & Best Regards, Dianbo ... View more

The version i tested is splunk 4.1, and the root_endpoint is set to /splunk. I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2. Because there is no login page in free license, so first time i view ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser will be redirected to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard. Next, i relocated to ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view ｈｔｔｐ://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard many times. From firebug, i got the following 2 kinds of responses for "401 unauthorized": 1) Splunk cannot authenticate the request. CSRF validation failed. 2) No permission -- see authorization schemes when i requested the following addresses a) ｈｔｔｐ://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false b) ｈｔｔｐ://myip/splunk/en-US/api/search/jobs?auto_cancel=90&earliest_time=-4h%40h&latest_time=now&namespace=mysearch&search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&status_buckets=0&ui_dispatch_app=mysearch&ui_dispatch_view=dashboard2 c) ｈｔｔｐ://myip/splunk/en-US/api/messages/index. d) ....... I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this? Thanks & Best Regards. Dianbo ... View more