Yes, you can copy the URL, decode the URL parameters, and paste it into a new search, but clicking on a bookmarklet is more convenient for me. If decoding your query due to the 414 error is a common...
See more...
Yes, you can copy the URL, decode the URL parameters, and paste it into a new search, but clicking on a bookmarklet is more convenient for me. If decoding your query due to the 414 error is a common occurrence, you could also make a CyberChef recipe to help. I don't know how much work it would take to make a bookmarklet that would POST the AST to the server instead. I understand that your search has a large number of calculations, but you can use a macro to make the URL shorter. index=test example.com | `complex_calculations` | `get_geoip_data(src_ip)` | `multiple_stats_commands` In that case, each macro can contain a very large number of commands. When possible, I create macros that are reusable, but that is not always appropriate. In particular, Splunk Enterprise Security content includes a separate filter macro for each Correlation Search so that false positives can be tuned out without editing the detection core logic. Without access to your search query, it is difficult to know how to make the search smaller. In a Windows browser, you can press Ctrl-Shift-E when writing your search to show the "Expanded Search String" with the content in all of the macros being shown. These are a couple examples of how I've moved long parsing and calculation strings to macros: get_datamodel_desc(1) entropy_digits_lowercase(1) (the Decrypt2 app is better than this macro)