Configure user session timeouts
Configure user session timeouts
The amount of time that elapses before a Splunk user's session times out depends on the interaction among three timeout settings:
- The
splunkwebsession timeout. - The
splunkdsession timeout. - The browser session timeout.
The splunkweb and splunkd timeouts determine the maximum idle time in the interaction between browser and Splunk. The browser session timeout determines the maximum idle time in interaction between user and browser.
The splunkweb and splunkd timeouts generally have the same value, as the same Manager field sets both of them. To set the timeout in Splunk Manager:
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click System settings.
3. Click General settings.
4. In the System timeout field, enter a timeout value.
5. Click Save.
This sets the user session timeout value for both splunkweb and splunkd. Initially, they share the same value of 60 minutes. They will continue to maintain identical values, if you change the value through Manager.
If, for some reason, you need to set the timeouts for splunkweb and splunkd to different values, you can do so by editing their underlying configuration files, web.conf (tools.sessions.timeout attribute) and server.conf (sessionTimeout attribute). For all practical purposes, there's no reason to give them different values. In any case, if the user is using SplunkWeb (splunkweb) to access the Splunk instance (splunkd), the smaller of the two timeout attributes prevails. So, if tools.sessions.timeout in web.conf has a value of "90" (minutes), and sessionTimeout in server.conf has a value of "1h" (1 hour; 60 minutes), the session will timeout after 60 minutes.
In addition to setting the splunkweb/splunkd session value, you can also specify the timeout for the user browser session by editing the ui_inactivity_timeout value in web.conf. The Splunk browser session will time out once this value is reached. The default is 60 minutes. If ui_inactivity_timeout is set to less than 1, there's no timeout -- the session will stay alive while the browser is open.
The countdown for the splunkweb/splunkd session timeout does not begin until the browser session reaches its timeout value. So, to determine how long the user has before timeout, add the value of ui_inactivity_timeout to the smaller of the timeout values for splunkweb and splunkd. For example, assume the following:
-
splunkwebtimeout: 15m
-
splunkdtimeout: 20m
- browser (
ui_inactivity_timeout) timeout: 10m
The user session stays active for 25m (15m+10m). After 25 minutes of no activity, the user will be prompted to login again.
Note: If you change a timeout value, either in Manager or in configuration files, you must restart Splunk for the change to take effect.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.
Comments
Is it possible to set different classes of users timeouts for the web GUI? Common users 10 minutes, analysts to 20, Managers to an hour, CERT Team Members to never - these are special accounts that are not used everyday, only for the duration of an event. What's the impact on the system to when a user is idle; what if there are many idle users, how does the affect accumulate?
Jhatsplunk,
I don't believe that there's a way to set user timeouts at the user role level. You might ask this question on Splunk Answers; perhaps someone has found some way to do so: http://splunk-base.splunk.com/answers