Splunk ITSI

Splunk IT Service Intelligence: Why am I getting error "URI Too Large" when trying to enable drilldown options from Deep Dive swim lanes?

svendby90
Path Finder

I'm trying to configure some drilldown options from swim lanes in the Deep Dive view in the Splunk IT Service Intelligence app, but having some difficulties doing that. My goal is to be able to drill down to different dashboards from various lanes.
alt text
When enabling overlay for a KPI's swim lane and selecting that lane, I get an error (see picture). Checking the console, I find the following error message: "Failed to load resource: the server responded with a status of 414 (Request-URI Too Large)". Any ideas on how/where I can fix/set this?

1 Solution

svendby90
Path Finder

After updating to 3.0 the problem seems to have been resolved. No idea what caused the error unfortunately.

For the record, in order to enable drilldown from deep dive you need to create a deep_dive_drilldowns.conf in /etc/apps/itsi/local. See /etc/apps/itsi/README/deep_dive_drilldowns.conf for options 🙂
When created run http://yoursplunkserver:8000/en-GB/debug/refresh to activate the configuration.

View solution in original post

0 Karma

evanchitger
New Member

Under Apache, the limit is a configurable value, LimitRequestLine. Change this value to something larger than its default of 8190 if you want to support a longer request URI. Extremely long URLs are usually a mistake. If you keep URLs under 2000 characters , they'll work in virtually any combination of client and server software. URI actually have a character limit depending on several things. Chrome limits url length of 2MB for practical reasons and to avoid causing denial-of-service problems in inter-process communication. On most platforms, Chrome's omnibox limits URL display to 32kB ( kMaxURLDisplayChars ) although a 1kB limit is used on VR platforms. IE - 2083 characters, Firefox - 2047 characters, Safari 80000 characters and Opera 190,000 characters.

To resolve the problem :

  • By POST request: Convert query string to json object and sent to API request with POST
  • By GET request: Max length of request is depend on sever side as well as client side. Most webserver have limit 8k which is configurable. On the client side the different browser has different limit. The browser IE and Safari limit to 2k, Opera 4k and Firefox 8k. means the max length for the GET request is 8k and min request length is 2k.

If exceed the request max length then the request truncated outside the limit by web server or browser without any warning. Some server truncated request data but the some server reject it because of data lose and they will return with response code 414.

 

0 Karma

svendby90
Path Finder

After updating to 3.0 the problem seems to have been resolved. No idea what caused the error unfortunately.

For the record, in order to enable drilldown from deep dive you need to create a deep_dive_drilldowns.conf in /etc/apps/itsi/local. See /etc/apps/itsi/README/deep_dive_drilldowns.conf for options 🙂
When created run http://yoursplunkserver:8000/en-GB/debug/refresh to activate the configuration.

0 Karma

markconlin
Path Finder

I have similar issue https://answers.splunk.com/answers/577476/export-of-results-from-search-screen-results-in-41.html

No result found yet. Have you fixed your issue?

0 Karma

svendby90
Path Finder

Hi! No fix yet. I haven't been able to work on this since I posted the question. Will update if I figure it out 🙂

0 Karma

sanjayguptag
New Member

hey did you able to resolve it, how you reached till custom drill down. i also want to open the custom dashboard from deep dive but not sure how to open that?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...