Refine your search:

How to Disable http response gzip encoding

1

I have a problem regarding gzip encoding. Any help is very appreciated.

The flash timelines and many charts does not work behind a proxy. The problem occurs when the http response is encoded with gzip, so the proxy can't rewrite the urls.

I have edited [web.conf] as follows: enable_gzip = False. Also, I put the Accept-Encoding: identity in the request header

Still no luck. No matter what I do, the response is gzip compressed (bug?)

... Example request and response fetching a timeline:

GET /en-US/app/search/flashtimeline?auto_pause=true&q=search HTTP/1.1

Host: localhost

Connection: keep-alive

Referer: http://localhost/SplunkProxy/en-US/app/search/dashboard

Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13

Accept-Encoding: identity

Accept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Cookie: session_id_8000=e39121e162ef0cfc2d05e6c432b68307f918a0ed



HTTP/1.1 200 OK

Content-Type: text/html;charset=utf-8

Content-Encoding: gzip

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

Set-Cookie: session_id_8000=e39121e162ef0cfc2d05e6c432b68307f918a0ed; expires=Tue, 22 Mar 2011 14:35:00 GMT; Path=/

X-Powered-By: ASP.NET

Date: Mon, 21 Mar 2011 14:35:00 GMT

Content-Length: 15437



.............`.I.%&/m.{.J.J..t...`.$. ...... etc etc

asked 21 Mar '11, 20:06

magnuspenilsson's gravatar image

magnuspenilsson
134
accept rate: 0%

3 Answers:
oldestnewestmost voted
1

Gzipping in HTTP occurs after the headers and should not affect any downstream servers.

The problem you are probably running into is the root endpoint setting. Looking at your request dump, you probably need to set the following in your web.conf file:

[settings]
root_endpoint = /SplunkProxy

This causes Splunkweb to forward all requests (whether proxied or direct) to this new sub-endpoint. Additional info is available in a previous post about proxying.

Background info on how HTTP gzipping works can be found in this tutorial.

link

answered 21 Mar '11, 21:20

Johnvey's gravatar image

Johnvey ♦♦
2.2k1217
accept rate: 58%

Yes, gzipping occurs at the content only. IIS proxy (using ARR 2 & URL Rewrite 2) demands that the response is not gzipped for proxy reverse rewrite to work... Proxy is hosted on IIS at http://localhost/SplunkProxy/. Splunk is hosted at standard http://localhost:8000/. Then root_endpoint should be "/", right?. The GET parameter before proxy rewriting is "/en-US/app/search/flashtimeline?auto_pause=true&q=search HTTP/1.1". After it is "http:/localhost:8000/en-US/app/search/flashtimeline?auto_pause=true&q=search HTTP/1.1".

(21 Mar '11, 21:41) magnuspenilsson
1

This appears to work for me under Splunk 4.1.7 on Linux:

$ cat /opt/splunk/etc/system/local/web.conf 
[settings]
mgmtHostPort = localhost:8099
enable_gzip = False

I checked with wireshark and do not see gzip compression. You should check your config with btool as follows:

/opt/splunk/bin/splunk cmd btool --debug web list | egrep -i "\[.*\]|gzip"
system     [default]
system     [settings]
system     enable_gzip = False
link

answered 21 Mar '11, 20:48

dwaddle's gravatar image

dwaddle ♦
11.2k1516
accept rate: 34%

I have the same config.

Setting enable_gzip = True makes a lot of requests compressed, so it works as it is supposed to, excepts for timelines that is...

I am also using Wireshark. Have you tried to capture the exact same request? Default "Search" App Dashboard -> Click on a sourcetype to get to the search view. Examine the request in my example (GET /en-US/app/search/flashtimeline?auto_pause=true&q=search HTTP/1.1). In my case, it is compressed.

(21 Mar '11, 21:06) magnuspenilsson
0

Solved. Johnvey, you are absolutely right about the root_endpoint. It should be set to "/SplunkProxy" if the proxy is located on "proxydomain/SplunkProxy/".

The reason for all my problems was that the IIS proxy using ARR and URL Rewrite must be configured at the proxy website root. I had an "Application" at localhost/SplunkTest where I also put the proxy rules which caused strange rewriting behaviors.

Thank you both of you.

link

answered 21 Mar '11, 23:13

magnuspenilsson's gravatar image

magnuspenilsson
134
accept rate: 0%

Make sure to mark Johnvey's answer as correct by clicking the green checkbox next to it. That will cause the answers system to treat this as 'answered' and help future users reading answers posts - not to mention hand out some rep points :)

(23 Mar '11, 01:33) dwaddle ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×27
×21
×13

Asked: 21 Mar '11, 20:06

Seen: 1,840 times

Last updated: 21 Mar '11, 23:13

Related questions

fschange and indexing gzip files

Do splunked events, that are gzip'd on disk, stay that way while I am searching them?

Indexing content that may contain in-line gzip

md5, crcSalt, gzip, oh my!

Does Splunk index gzip files?

Has anyone used a gzip compression card with Splunk?

Splunk Web & Splunkd HTTP Server response header

search by http response code

Receiving an HTTP 303 (See Other) response from Splunk Server using the API

Copyright © 2005-2012 Splunk, Inc. All rights reserved.