Can you give an examples for both options??
1) I am not sure what you meant by refactor and move long position into inputlookup command and search macro
2) not sure how to make "bookmarklet"
Thanks

I made a couple more bookmarklets to help:

1. SID Only: Strip all URL parameters except the SID to have the search parameters loaded from the saved job (only works if the SID is still saved)

javascript: window.location.href = window.location.href.replace(/\?.*?(\bsid=[^&]+).*/, '?$1');

2. Show Search: Show the search after the error message

javascript&colon; query_str = decodeURIComponent(window.location.href.replace(/.*?\bq=([^&]+).*/, '$1')); document.body.innerHTML += `<pre>${query_str}</pre>`;

3. Strip off different parameters until it works. 1st click removes the display fields list, 2nd click collapses repeated spaces, and 3rd click truncates the query to 3500 characters.

javascript:(function(){if (location.href.indexOf('display.events.fields')>=0) {window.location.href = window.location.href.replace(/\b(display\.events\.fields=[^&]+)/, '');}else if (location.href.indexOf('%'+'0A')>=0) {window.location.href = window.location.href.replaceAll(/(%(20|0A))+/g, ' ');}else{window.location.href = window.location.href.replace(/(\bq=[^&]{100,3500})[^&]*(.*)/, '$1$2');}})();

Again,  replace the ":" in the blocks above with the colon character.

A Splunk URI query usually contains a few key/value pairs like these:

• earliest - epoch time for how far back to search
• latest - epoch time for when to start search
• sid - unique search ID
• q - Query string
• display.events.fields -  Selected Fields

If the path and URL query is over ~4000 characters after URL encoding, it will cause that 414 error. I have only had long query values for q and display.events.fields cause the 414 error.

Splunk passes the sid in the URL so that the search doesn't need to be run again. All the search parameters are available on the server if you provide the sid, but if the search is deleted or expired it can fall back to the other URL parameters to re-run the search.

The solutions are to edit the search to make it shorter in the URL or to edit the URL afterwards to remove some of the long parameters.

Now lets discuss the options I mentioned earlier. These will assume the following search and selected fields. They are not long enough to cause the 414 error, but will work for illustrating the issue.

search (265 chars encoded):
index=test host=0.example.com OR host=1.example.com OR host=2.example.com OR host=3.example.com OR host=4.example.com OR host=5.example.com OR host=6.example.com OR host=7.example.com OR host=8.example.com OR host=9.example.com

fields:
host, src, src_ip, src_mac, dest, dest_ip, dest_mac

1. Refactor the Search

We can make this search string smaller by using the IN statement, a lookup, or a macro.

The IN statement and lookup table makes sense if you have a list of values in a search, the macro makes sense if you pipe the output to multiple subsequent commands (multiple eval, stats, etc.).

1.a. IN statement (166 chars encoded)

index=test host IN (0.example.com,1.example.com,2.example.com,3.example.com,4.example.com,5.example.com,6.example.com,7.example.com,8.example.com,9.example.com)

1.b. lookup table (77 chars encoded)

index=test [inputlookup example_domains | return 1000 host]

1.c. Search macro (40 chars encoded)

index=test `example_domain_search`

2. Edit the URL

Here is an example path for the first query above

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&display.page.search.mode=smart&dispatch.sample_ratio=1&earliest=-24h%40h&latest=now&display.events.fields=%5B"host"%2C"src"%2C"src_ip"%2C"src_mac"%2C"dest"%2C"dest_ip"%2C"dest_mac"%5D&sid=1723000000.00000

2.a. Manually edit the URL (not recommended)

Go to the address bar and manually remove the longer query parameters

2.a.i:. Remove the display parameters and timeframe

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&sid=1723000000.00000

or

2.a.ii:. Remove the display parameters

/search?q=search%20index%3Dtest%20host%3D0.example.com%20OR%20host%3D1.example.com%20OR%20host%3D2.example.com%20OR%20host%3D3.example.com%20OR%20host%3D4.example.com%20OR%20host%3D5.example.com%20OR%20host%3D6.example.com%20OR%20host%3D7.example.com%20OR%20host%3D8.example.com%20OR%20host%3D9.example.com&earliest=-24h%40h&latest=now&sid=1723000000.00000

or 

2.a.iii. Leave only the search ID (sid)

/search?sid=1723000000.00000

2.b. Edit the URL with a bookmarklet

With the bookmarklet shared earlier, you can use a regular expression to remove some of the parameters. You could remove all but the sid like I did, or you could remove only the display.events.fields if that is causing issues for you.  Any of the manual edits made above can be made with a regular expression. If you want a regular expression that provides more fields than the sid, you can use an regular expression tool like regex101 to assist in creating a different bookmarklet.

It is probably possible to build a lexer bookmarklet that parses the search query and truncates it to fit within the server's ~4000 character limit, but that's probably a waste of time.

I appreciate the explanation and example.
The search that I have is very long and doing a lot of calculation, so it's not that easy to do your suggestion

I've been doing similar thing, but much simpler
I just decode the URL using URL decoder, then open a new search and paste the search.

Thank you for your suggestion.

Yes, you can copy the URL, decode the URL parameters, and paste it into a new search, but clicking on a bookmarklet is more convenient for me.

If decoding your query due to the 414 error is a common occurrence, you could also make a CyberChef recipe to help. I don't know how much work it would take to make a bookmarklet that would POST the AST to the server instead.

I understand that your search has a large number of calculations, but you can use a macro to make the URL shorter. 

index=test example.com
| `complex_calculations`
| `get_geoip_data(src_ip)`
| `multiple_stats_commands`

In that case, each macro can contain a very large number of commands. When possible, I create macros that are reusable, but that is not always appropriate. In particular, Splunk Enterprise Security content includes a separate filter macro for each Correlation Search so that false positives can be tuned out without editing the detection core logic.

Without access to your search query, it is difficult to know how to make the search smaller.

In a Windows browser, you can press Ctrl-Shift-E when writing your search to show the "Expanded Search String" with the content in all of the macros being shown.

These are a couple examples of how I've moved long parsing and calculation strings to macros:

get_datamodel_desc(1)

entropy_digits_lowercase(1)  (the Decrypt2 app is better than this macro)