Hello,
I am getting "Request URI too long error, status 404" because of large splunk query.
How to avoid this issue from the splunk side? i tried macros, but macros are giving me some other issues.
Any solution other than macros?
Thanks.
This rare condition is only likely to occur when a client has improperly converted a POST request to a GET request with long query information. The HTTP 414 URI Too Long response status code indicates that the URI(Uniform Resource Identifier) requested by the client is longer than the server is willing to interpret.
To resolve this problem :
If exceed the request max length then the request truncated outside the limit by web server or browser without any warning. Some server truncated request data but the some server reject it because of data lose and they will return with response code 414 Request-URI Too Long.
Under Apache, the limit is a configurable value, LimitRequestLine. If you want to increase URL limit to 5000 characters (bytes), add the following lines to your server configuration or virtual host file.
LimitRequestLine 5000
If you want to increase maximum header length supported by Apache to 3000 characters, then add the following line.
LimitRequestFieldSize 3000
Try saving your large query into a report and then use | savedsearch command to run those.
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Savedsearch
@chinmayc469,
You can create a savedsearch for that. You can create parameterized savedsearch also.
1) Create a saved search with your long search in saved search
2) Pass savedsearch SPL in request url.
Please see following link for same:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Savedsearchesconf
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Savedsearch
Thanks