When accessing a Splunk application that is being load-balanced by an Avi Virtual Service, users may be blocked from access and see the following error message on the page:

Splunk cannot authenticate the request. CSRF validation failed

This error occurs due to a conflict between Splunk's Cross-Site Request Forgery (CSRF) protection mechanism and the HttpOnly cookie setting in the Avi Application Profile.

Splunk's web interface uses client-side JavaScript to read a CSRF token from a session cookie and include it in subsequent requests to validate them.

However, when the HttpOnly attribute is enabled on a cookie, it instructs the browser to prevent any client-side scripts (like JavaScript) from accessing it.

If the HttpOnly setting is enabled in the Avi Application Profile, it blocks Splunk's JavaScript from reading the necessary CSRF token, causing the validation on the Splunk server to fail.

To resolve this issue, you must disable the HttpOnly setting for cookies within the Application Profile associated with the Splunk Virtual Service.

1. In the Avi UI, navigate to Templates > Profiles > Application.

2. Identify and edit the Application Profile used by the Splunk Virtual Service.

3. Uncheck the box for HTTP-Only Cookies.

4. Click Save to apply the changes.

Disabling this setting will allow Splunk's legitimate client-side scripts to access the cookie and perform CSRF validation successfully.