Solved: 403 Forbidden, Open in Search from Dashboard, Issu...

bcatwork · ‎05-20-2015

Hi, I have a performance metrics dashboard created in simple-xml, all tables/charts must be accessible when selecting 'open in search'.

I have found that all search strings containing a rex command toss a 403 access forbidden error when I try to 'open in search'. All other visuals work as expected when opening in search. When deconstructing the URL and removing the rex commands, I am able to refresh and successfully route to the search app.

Here is an example of a field extraction I perform using the rex command.

rex field=_raw "DOMAIN: (?<DOMAIN>.*)"

Are there known issues involved with the rex command and simple-xml? This seems like a character issue (specifically <>)? In code, I use & lt; & gt ; (without spacing) to represent, these are converted to <> in the URI. I need them to stay as html character entities in the URI to successfully 'open in search', not be converted to <>.

Any thoughts or suggestions???

bcatwork · ‎08-11-2015

I found this issue has been resolved when upgrading to Splunk 6.2.

I never found a fix item that matched this issue description, but I imagine it was a known Splunk issue as it has been resolved.

View solution in original post

bcatwork · ‎08-11-2015

I found this issue has been resolved when upgrading to Splunk 6.2.

I never found a fix item that matched this issue description, but I imagine it was a known Splunk issue as it has been resolved.

splunkn · ‎08-11-2015

Many thanks. But we have the upgraded version 6.2.3. But still no luck 😞

splunkn · ‎08-11-2015

Any ideas regarding this. is it known Splunk issue?

403 Forbidden, Open in Search from Dashboard, Issues with Rex Command

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup