Splunk Search

When I clicked open in search, I got Request-URI Too Long

LearningGuy
Builder

Hello,
When I clicked open in search, I got the following message:
Request-URI Too Long
The requested URL's length exceeds the capacity limit for this server.

I don't get the message if I copy and paste the search manually

Why does Splunk send searches via GET request?
How do I fix this without an admin role?

Thank you for your help

Labels (2)
0 Karma

malvidin
Communicator

A search can be longer than the URI allows for opening in a new tab, which causes the 414 Request-URI Too Long error.  There are multiple workarounds:

  1. Refactor the search and/or move long portions of the query into an inputlookup command or search macro.
  2. Edit the URL to remove the query and only use the SID (as long as the search ID hasn't expired)

For the second option, you can make a "Bookmarklet" that removes all of the URL parameters except the SID:

 javascript: window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1')

Note: Khoros is breaking the bookmarklet; replace : with :

If you click on that bookmarklet when you get the error, it will open the search.

 

 

Tags (1)

LearningGuy
Builder


Can you give an examples for both options??
1) I am not sure what you meant by refactor and move long position into inputlookup command and search macro
2) not sure how to make "bookmarklet"
Thanks

0 Karma

malvidin
Communicator

I made a couple more bookmarklets to help:

1. SID Only: Strip all URL parameters except the SID to have the search parameters loaded from the saved job (only works if the SID is still saved)

 

javascript: window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1');

 

2. Show Search: Show the search after the error message

 

javascript&colon; query_str = decodeURIComponent(window.location.href.replace(/.*?\bq=([^&]+).*/, '$1')); document.body.innerHTML += `<pre>${query_str}</pre>`;

 

3. Strip off different parameters until it works. 1st click removes the display fields list, 2nd click collapses repeated spaces, and 3rd click truncates the query to 3500 characters.

 

javascript&colon;(function(){if (location.href.indexOf('display.events.fields')>=0) {window.location.href = window.location.href.replace(/\b(display\.events\.fields=[^&]+)/, '');}else if (location.href.indexOf('%'+'0A')>=0) {window.location.href = window.location.href.replaceAll(/(%(20|0A))+/g, ' ');}else{window.location.href = window.location.href.replace(/(\bq=[^&]{100,3500})[^&]*(.*)/, '$1$2');}})();

 

Again,  replace the "&colon;" in the blocks above with the colon character.

malvidin
Communicator

A Splunk URI query usually contains a few key/value pairs like these:

  • earliest - epoch time for how far back to search
  • latest - epoch time for when to start search
  • sid - unique search ID
  • q - Query string
  • display.events.fields -  Selected Fields

If the path and URL query is over ~4000 characters after URL encoding, it will cause that 414 error. I have only had long query values for q and display.events.fields cause the 414 error.

Splunk passes the sid in the URL so that the search doesn't need to be run again. All the search parameters are available on the server if you provide the sid, but if the search is deleted or expired it can fall back to the other URL parameters to re-run the search.

The solutions are to edit the search to make it shorter in the URL or to edit the URL afterwards to remove some of the long parameters.

Now lets discuss the options I mentioned earlier. These will assume the following search and selected fields. They are not long enough to cause the 414 error, but will work for illustrating the issue.

search (265 chars encoded):
index=test host=0.example.com OR host=1.example.com OR host=2.example.com OR host=3.example.com OR host=4.example.com OR host=5.example.com OR host=6.example.com OR host=7.example.com OR host=8.example.com OR host=9.example.com

fields:
host, src, src_ip, src_mac, dest, dest_ip, dest_mac

1. Refactor the Search

We can make this search string smaller by using the IN statement, a lookup, or a macro.

The IN statement and lookup table makes sense if you have a list of values in a search, the macro makes sense if you pipe the output to multiple subsequent commands (multiple eval, stats, etc.).

1.a. IN statement (166 chars encoded)

index=test host IN (0.example.com,1.example.com,2.example.com,3.example.com,4.example.com,5.example.com,6.example.com,7.example.com,8.example.com,9.example.com)

1.b. lookup table (77 chars encoded)

index=test [inputlookup example_domains | return 1000 host]

1.c. Search macro (40 chars encoded)

index=test `example_domain_search`

2. Edit the URL

Here is an example path for the first query above

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&display.page.search.mode=smart&dispatch.sample_ratio=1&earliest=-24h%40h&latest=now&display.events.fields=%5B"host"%2C"src"%2C"src_ip"%2C"src_mac"%2C"dest"%2C"dest_ip"%2C"dest_mac"%5D&sid=1723000000.00000

2.a. Manually edit the URL (not recommended)

Go to the address bar and manually remove the longer query parameters

2.a.i:. Remove the display parameters and timeframe

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&sid=1723000000.00000

or

2.a.ii:. Remove the display parameters

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&earliest=-24h%40h&latest=now&sid=1723000000.00000

or 

2.a.iii. Leave only the search ID (sid)

/search?sid=1723000000.00000

2.b. Edit the URL with a bookmarklet

With the bookmarklet shared earlier, you can use a regular expression to remove some of the parameters. You could remove all but the sid like I did, or you could remove only the display.events.fields if that is causing issues for you.  Any of the manual edits made above can be made with a regular expression. If you want a regular expression that provides more fields than the sid, you can use an regular expression tool like regex101 to assist in creating a different bookmarklet.

malvidin_0-1722932359355.png

It is probably possible to build a lexer bookmarklet that parses the search query and truncates it to fit within the server's ~4000 character limit, but that's probably a waste of time.

LearningGuy
Builder

I appreciate the explanation and example.
The search that I have is very long and doing a lot of calculation, so it's not that easy to do your suggestion

I've been doing similar thing, but much simpler
I just decode the URL using URL decoder, then open a new search and paste the search.

Thank you for your suggestion.

0 Karma

malvidin
Communicator

Yes, you can copy the URL, decode the URL parameters, and paste it into a new search, but clicking on a bookmarklet is more convenient for me.

If decoding your query due to the 414 error is a common occurrence, you could also make a CyberChef recipe to help. I don't know how much work it would take to make a bookmarklet that would POST the AST to the server instead.

I understand that your search has a large number of calculations, but you can use a macro to make the URL shorter. 

index=test example.com
|
 `complex_calculations`
| `get_geoip_data(src_ip)`
| `multiple_stats_commands`

In that case, each macro can contain a very large number of commands. When possible, I create macros that are reusable, but that is not always appropriate. In particular, Splunk Enterprise Security content includes a separate filter macro for each Correlation Search so that false positives can be tuned out without editing the detection core logic.

Without access to your search query, it is difficult to know how to make the search smaller.

In a Windows browser, you can press Ctrl-Shift-E when writing your search to show the "Expanded Search String" with the content in all of the macros being shown.

These are a couple examples of how I've moved long parsing and calculation strings to macros:

get_datamodel_desc(1)

malvidin_0-1723021288052.png

entropy_digits_lowercase(1)  (the Decrypt2 app is better than this macro)

malvidin_1-1723021561714.png

LearningGuy
Builder

Hello,
Thanks for your suggestion.
I already looked it up before I posted my question.
The previous post do not answer my questions and   I don't have an admin role
1) Why does Splunk send searches via GET request? 

2) How do I fix this without an admin role?

0 Karma

FelixLeh
Contributor
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...