Troubleshoot token authentication
If a token fails authentication for any reason, the Splunk platform writes a message to splunkd.log
with additional information. As a Splunk administrator, you can read this log file to get information on why authentication with the token failed.
For additional information, you can enable debug logging on Splunk Enterprise instances only. Splunk Enterprise writes information about token authentication using the JsonWebTokenHandler
tag. See Enable debug logging for instructions. After you have enabled debug logging, look for this tag when you review logs for information on problems that occur with token authentication.
Common problems for token authentication
Following are a list of common problems that can occur with token authentication.
Splunk platform instance displays "Token authentication is disabled"
If you receive this error message, either in Splunk Web or through a REST command, it means that you have not enabled token authentication.
- Confirm that you have completed the requirements for enabling token authentication.
- Enable token authentication.
cURL command returns "call not properly authenticated"
This message means that authentication to the Splunk platform instance with the token you presented was not successful.
- Confirm that the token is enabled. If it is not, and it has not yet expired, enable it if you have permission, or contact your administrator.
- Confirm that the token is valid and has not expired. If it has expired, create a new one if you have permission, or contact your administrator. You cannot extend token validity.
- Confirm that the "Not before" validity time for the token has passed. If it hasn't, either wait or create a new token if you have permission.
- Confirm that the token has not been deleted. If it has, create a new one if you have permission.
- Confirm that the account that is associated with the token exists. If it doesn't, create one, then create a new token and assign that user to the token, if you have permission.
- Confirm that you use the full token as it was generated. If you don't have the full token, request or create a new one, if you have permission.
- Confirm that you are using a token on the same Splunk platform instance where it was issued.
- If your Splunk platform instance uses an LDAP server for authentication, confirm that the user exists and is not disabled on LDAP server.
- If your Splunk instance uses an LDAP server for authentication, confirm that the instance can connect to the LDAP server.
Error received "KV store not ready"
This message means that app key value store (KV store) has not been enabled. Enable KV store if you have permission, or contact your administrator.
Use authentication tokens | Protecting PII and PHI data with role-based field filtering |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2203, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!