topic Re: When I clicked open in search, I got Request-URI Too Long in Splunk Search

When I clicked open in search, I got Request-URI Too Long

LearningGuy — Mon, 06 Nov 2023 02:34:35 GMT

Hello,
When I clicked open in search, I got the following message:
Request-URI Too Long
The requested URL's length exceeds the capacity limit for this server.

I don't get the message if I copy and paste the search manually

Why does Splunk send searches via GET request?
How do I fix this without an admin role?

Thank you for your help

Re: When I clicked open in search, I got Request-URI Too Long

FelixLeh — Mon, 06 Nov 2023 10:08:30 GMT

Could this help maybe?
https://community.splunk.com/t5/Splunk-Search/Why-are-large-Splunk-searches-causing-quot-Request-URI-too-long/m-p/437368

Re: When I clicked open in search, I got Request-URI Too Long

LearningGuy — Mon, 06 Nov 2023 12:55:35 GMT

Hello,
Thanks for your suggestion.
I already looked it up before I posted my question.
The previous post do not answer my questions and I don't have an admin role
1) Why does Splunk send searches via GET request?
2) How do I fix this without an admin role?

Re: When I clicked open in search, I got Request-URI Too Long

malvidin — Mon, 05 Aug 2024 07:54:54 GMT

A search can be longer than the URI allows for opening in a new tab, which causes the 414 Request-URI Too Long error. There are multiple workarounds:

Refactor the search and/or move long portions of the query into an inputlookup command or search macro.
Edit the URL to remove the query and only use the SID (as long as the search ID hasn't expired)

For the second option, you can make a "Bookmarklet" that removes all of the URL parameters except the SID:

 javascript&colon; window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1')

Note: Khoros is breaking the bookmarklet; replace &colon; with :

If you click on that bookmarklet when you get the error, it will open the search.

Re: When I clicked open in search, I got Request-URI Too Long

LearningGuy — Tue, 06 Aug 2024 02:28:21 GMT

Can you give an examples for both options??
1) I am not sure what you meant by refactor and move long position into inputlookup command and search macro
2) not sure how to make "bookmarklet"
Thanks

Re: When I clicked open in search, I got Request-URI Too Long

malvidin — Tue, 06 Aug 2024 14:13:21 GMT

A Splunk URI query usually contains a few key/value pairs like these:

earliest - epoch time for how far back to search
latest - epoch time for when to start search
sid - unique search ID
q - Query string
display.events.fields - Selected Fields

If the path and URL query is over ~4000 characters after URL encoding, it will cause that 414 error. I have only had long query values for q and display.events.fields cause the 414 error.

Splunk passes the sid in the URL so that the search doesn't need to be run again. All the search parameters are available on the server if you provide the sid, but if the search is deleted or expired it can fall back to the other URL parameters to re-run the search.

The solutions are to edit the search to make it shorter in the URL or to edit the URL afterwards to remove some of the long parameters.

Now lets discuss the options I mentioned earlier. These will assume the following search and selected fields. They are not long enough to cause the 414 error, but will work for illustrating the issue.

search (265 chars encoded):
index=test host=0.example.com OR host=1.example.com OR host=2.example.com OR host=3.example.com OR host=4.example.com OR host=5.example.com OR host=6.example.com OR host=7.example.com OR host=8.example.com OR host=9.example.com

fields:
host, src, src_ip, src_mac, dest, dest_ip, dest_mac

1. Refactor the Search

We can make this search string smaller by using the IN statement, a lookup, or a macro.

The IN statement and lookup table makes sense if you have a list of values in a search, the macro makes sense if you pipe the output to multiple subsequent commands (multiple eval, stats, etc.).

1.a. IN statement (166 chars encoded)

index=test host IN (0.example.com,1.example.com,2.example.com,3.example.com,4.example.com,5.example.com,6.example.com,7.example.com,8.example.com,9.example.com)

1.b. lookup table (77 chars encoded)

index=test [inputlookup example_domains | return 1000 host]

1.c. Search macro (40 chars encoded)

index=test `example_domain_search`

2. Edit the URL

Here is an example path for the first query above

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&display.page.search.mode=smart&dispatch.sample_ratio=1&earliest=-24h%40h&latest=now&display.events.fields=%5B"host"%2C"src"%2C"src_ip"%2C"src_mac"%2C"dest"%2C"dest_ip"%2C"dest_mac"%5D&sid=1723000000.00000

2.a. Manually edit the URL (not recommended)

Go to the address bar and manually remove the longer query parameters

2.a.i:. Remove the display parameters and timeframe

2.a.ii:. Remove the display parameters

2.a.iii. Leave only the search ID (sid)

/search?sid=1723000000.00000

2.b. Edit the URL with a bookmarklet

With the bookmarklet shared earlier, you can use a regular expression to remove some of the parameters. You could remove all but the sid like I did, or you could remove only the display.events.fields if that is causing issues for you. Any of the manual edits made above can be made with a regular expression. If you want a regular expression that provides more fields than the sid, you can use an regular expression tool like regex101 to assist in creating a different bookmarklet.

It is probably possible to build a lexer bookmarklet that parses the search query and truncates it to fit within the server's ~4000 character limit, but that's probably a waste of time.

Re: When I clicked open in search, I got Request-URI Too Long

LearningGuy — Wed, 07 Aug 2024 03:08:11 GMT

I appreciate the explanation and example.
The search that I have is very long and doing a lot of calculation, so it's not that easy to do your suggestion

I've been doing similar thing, but much simpler
I just decode the URL using URL decoder, then open a new search and paste the search.

Thank you for your suggestion.

Re: When I clicked open in search, I got Request-URI Too Long

malvidin — Wed, 07 Aug 2024 09:16:55 GMT

Yes, you can copy the URL, decode the URL parameters, and paste it into a new search, but clicking on a bookmarklet is more convenient for me.

If decoding your query due to the 414 error is a common occurrence, you could also make a CyberChef recipe to help. I don't know how much work it would take to make a bookmarklet that would POST the AST to the server instead.

I understand that your search has a large number of calculations, but you can use a macro to make the URL shorter.

index=test example.com
| `complex_calculations`
| `get_geoip_data(src_ip)`
| `multiple_stats_commands`

In that case, each macro can contain a very large number of commands. When possible, I create macros that are reusable, but that is not always appropriate. In particular, Splunk Enterprise Security content includes a separate filter macro for each Correlation Search so that false positives can be tuned out without editing the detection core logic.

Without access to your search query, it is difficult to know how to make the search smaller.

In a Windows browser, you can press Ctrl-Shift-E when writing your search to show the "Expanded Search String" with the content in all of the macros being shown.

These are a couple examples of how I've moved long parsing and calculation strings to macros:

get_datamodel_desc(1)

entropy_digits_lowercase(1) (the Decrypt2 app is better than this macro)

Re: When I clicked open in search, I got Request-URI Too Long

malvidin — Tue, 29 Oct 2024 13:45:40 GMT

I made a couple more bookmarklets to help:

1. SID Only: Strip all URL parameters except the SID to have the search parameters loaded from the saved job (only works if the SID is still saved)

javascript&colon; window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1');

2. Show Search: Show the search after the error message

javascript&colon; query_str = decodeURIComponent(window.location.href.replace(/.*?\bq=([^&]+).*/, '$1')); document.body.innerHTML += `<pre>${query_str}</pre>`;

3. Strip off different parameters until it works. 1st click removes the display fields list, 2nd click collapses repeated spaces, and 3rd click truncates the query to 3500 characters.

javascript&colon;(function(){if (location.href.indexOf('display.events.fields')>=0) {window.location.href = window.location.href.replace(/\b(display\.events\.fields=[^&]+)/, '');}else if (location.href.indexOf('%'+'0A')>=0) {window.location.href = window.location.href.replaceAll(/(%(20|0A))+/g, ' ');}else{window.location.href = window.location.href.replace(/(\bq=[^&]{100,3500})[^&]*(.*)/, '$1$2');}})();

Again, replace the "&colon;" in the blocks above with the colon character.

Re: When I clicked open in search, I got Request-URI Too Long

msquicc — Thu, 15 May 2025 15:13:44 GMT

for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569

to me, this is not uncommon at all. it's a daily problem that I have to work around.
(I'm aware of the current solutions and already use them.)