Solved: Re: 403 Forbidden, Open in Search from Dashboard, ...

bcatwork · ‎05-20-2015

Hi, I have a performance metrics dashboard created in simple-xml, all tables/charts must be accessible when selecting 'open in search'.

I have found that all search strings containing a rex command toss a 403 access forbidden error when I try to 'open in search'. All other visuals work as expected when opening in search. When deconstructing the URL and removing the rex commands, I am able to refresh and successfully route to the search app.

Here is an example of a field extraction I perform using the rex command.

rex field=_raw "DOMAIN: (?<DOMAIN>.*)"

Are there known issues involved with the rex command and simple-xml? This seems like a character issue (specifically <>)? In code, I use & lt; & gt ; (without spacing) to represent, these are converted to <> in the URI. I need them to stay as html character entities in the URI to successfully 'open in search', not be converted to <>.

Any thoughts or suggestions???

bcatwork · ‎08-11-2015

I found this issue has been resolved when upgrading to Splunk 6.2.

I never found a fix item that matched this issue description, but I imagine it was a known Splunk issue as it has been resolved.

View solution in original post

bcatwork · ‎08-11-2015

I found this issue has been resolved when upgrading to Splunk 6.2.

I never found a fix item that matched this issue description, but I imagine it was a known Splunk issue as it has been resolved.

splunkn · ‎08-11-2015

Many thanks. But we have the upgraded version 6.2.3. But still no luck 😞

splunkn · ‎08-11-2015

Any ideas regarding this. is it known Splunk issue?

403 Forbidden, Open in Search from Dashboard, Issues with Rex Command

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms