Since upgrading to Splunk 6.2.0/6.2.1 the "File or Directory" browser in Data inputs is broken: folders cannot be expanded anymore and
404 (Not Found) errors are returned. This has always been working fine on 6.1.x, however I notice that the GUI has changed as well. The issue doesn't occur if you don't use reverse proxy.
The exact functionality can be reached from Splunkweb in following way:
Settings -> Data -> Data Inputs -> Local Inputs -> Files & directories -> New
Finally click on the "Browse"-button right to the "File or Directory" field and try to expand folders.
From further checks apache access_log tells:
10.73.64.119 - - [11/Feb/2015:15:55:26 +0000] "GET /en-GB/splunkd/__raw/services/messages?output_mode=json&sort_key=timeCreated_epochSecs&sort_dir=desc&count=1000&_=1423669944903 HTTP/1.1" 200 586 10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/splunkd/__raw/servicesNS/admin/launcher/admin/file-explorer/%2Fetc?output_mode=json&count=10000&sort_key=hasSubNodes&sort_key=name&sort_dir=desc&sort_mode=num&_=1423669944900 HTTP/1.1" 404 268 10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /favicon.ico HTTP/1.1" 303 611 10.73.64.119 - - [11/Feb/2015:15:55:42 +0000] "GET /en-GB/favicon.ico HTTP/1.1" 200 8348
What's going wrong here? Could you please help? Thanks a lot in advance.
You can use following approach in order to solve your issue: please check following directive:
If this is not set to "NoDecode", then the proxy will try to decode and, in case like this one when it has to deal with slashes, this will lead to a failure, because it doesn't manage it as a string as it should. You can verify your Apache version by using for instance the command:
rpm -qa | grep httpd
If you are using an Apache version older than 2.2.18, then please upgrade and change the directive accordingly.
Here is an example about the Apache configuration after the change:
<VirtualHost 10.10.10.22:80> ProxyPass / http://10.10.10.18:8000/ ProxyPassReverse / http://10.10.10.18:8000/ AllowEncodedSlashes NoDecode </VirtualHost>
So please set
AllowEncodedSlashes NoDecode under the appropriate VirtualHost. Adding it anywhere else will not solve the issue. Restart Apache afterwards in order to apply changes.
Hope this helps.
Just a quick question; you made it sound like you were answering someone else's question!!! why? 😛
hi Markthompson--Matteo is a member of our Support team, and we often post questions and answers we encounter when handling customer cases so that other users can benefit from the experience--this is why he asked and answered his own question this way 🙂
Piggybacking off of @piebob 's comment, here are some examples of other posts where support folks bring common issues they come across working with customers to the community on Splunk Answers 🙂
@piebob & @ppablo_splunk - haha, I didn't even realise, probably should've noticed the _splunk 😛 Good answer anyhow. 😛