Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are large Splunk searches causing "Request URI too long error, status 404"?

chinmayc469
Explorer
‎07-13-2018 02:18 AM

Hello,

I am getting "Request URI too long error, status 404" because of large splunk query.

How to avoid this issue from the splunk side? i tried macros, but macros are giving me some other issues.

Any solution other than macros?

Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

hedmondjohn
New Member
‎12-27-2022 10:28 PM

This rare condition is only likely to occur when a client has improperly converted a POST request to a GET request with long query information. The HTTP 414 URI Too Long response status code indicates that the URI(Uniform Resource Identifier) requested by the client is longer than the server is willing to interpret.

To resolve this problem :

  • By POST request: Convert query string to json object and sent to API request with POST.
  • By GET request: Max length of request is depend on sever side as well as client side. Most webserver have limit 8k which is configurable. On the client side the different browser has different limit. The browser IE and Safari limit to 2k, Opera 4k and Firefox 8k. This means that the max length for the GET request is 8k and min request length is 2k.

If exceed the request max length then the request truncated outside the limit by web server or browser without any warning. Some server truncated request data but the some server reject it because of data lose and they will return with response code 414 Request-URI Too Long.

Under Apache, the limit is a configurable value, LimitRequestLine. If you want to increase URL limit to 5000 characters (bytes), add the following lines to your server configuration or virtual host file.

LimitRequestLine 5000

If you want to increase maximum header length supported by Apache to 3000 characters, then add the following line.

LimitRequestFieldSize 3000

 

0 Karma
Reply

somesoni2
Revered Legend
‎07-13-2018 08:43 AM

Try saving your large query into a report and then use | savedsearch command to run those.
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Savedsearch

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-13-2018 08:37 AM

@chinmayc469,

You can create a savedsearch for that. You can create parameterized savedsearch also.

1) Create a saved search with your long search in saved search
2) Pass savedsearch SPL in request url.

Please see following link for same:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Savedsearchesconf
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Savedsearch

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...