topic Re: capture error 4xx/5xx in Splunk Search

capture error 4xx/5xx

nithys — Thu, 13 Mar 2025 22:58:00 GMT

Using below query to capture 4xx,5xx error ,but getting as no result found

index=* source IN ("/aws/lambda/*") msg="**" (error.status=4* OR error.status=5*) | eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") | stats count by error.status

{"name":"","","pid":8,"level":50,"error":{"message":"Request failed with status code 500","name":"AxiosError","stack":"AxiosError: Request failed with status code 500\n )","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"adapter":["xhr","http"],"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"X","xsrfHeaderName":"X-","maxContentLength":-1,"maxBodyLength":-1,"env":{},"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/json","Authorization":"","User-Agent":"","Accept-Encoding":"gzip, compress, deflate, br"},"method":"get",""},"code":"ERR_BAD_RESPONSE","status":500},"eventAttributes":{"Identifier":2025732,"VersionNumber":"A.43"},"msg":"msg:data:error","time":":48:38.213Z","v":0}

this is my raw event format mostly looks like

Re: capture error 4xx/5xx

bowesmana — Fri, 14 Mar 2025 04:34:26 GMT

Are your fields auto extracted, i.e. if you just do

index=* source IN ("/aws/lambda/*") msg="**"

in verbose search mode, do you see error.status in the left hand panel? If so, can you see values of 4xx and 5xx?

It may be that if your JSON objects are longer than 5k, the status field may not be auto extracted, so you could try

index=* source IN ("/aws/lambda/*") msg="**" | spath error.status | search (error.status=4* OR error.status=5*) | eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") | stats count by error.status

which will tell you if it's a JSON object limit

Re: capture error 4xx/5xx

yuanliu — Fri, 14 Mar 2025 05:33:45 GMT

Is it possible that your raw event is noncompliant? This is what your illustrated event format suggests. If that format is exact, Splunk cannot extract anything other than "name" field. There are two elements that violates JSON syntax. The mock event contains two bare strings that are not key-value pairs, as pointed out as "MISSING-KEY1" and "MISSING-KEY2" in the following pretty-print of a "corrected" conformant JSON object:

{ "name": "", "MISSING-KEY1": "", "pid": 8, "level": 50, "error": { "message": "Request failed with status code 500", "name": "AxiosError", "stack": "AxiosError: Request failed with status code 500\n )", "config": { "transitional": { "silentJSONParsing": true, "forcedJSONParsing": true, "clarifyTimeoutError": false }, "adapter": [ "xhr", "http" ], "transformRequest": [ null ], "transformResponse": [ null ], "timeout": 0, "xsrfCookieName": "X", "xsrfHeaderName": "X-", "maxContentLength": -1, "maxBodyLength": -1, "env": {}, "headers": { "Accept": "application/json, text/plain, */*", "Content-Type": "application/json", "Authorization": "", "User-Agent": "", "Accept-Encoding": "gzip, compress, deflate, br" }, "method": "get", "MISSING-KEY2": "" }, "code": "ERR_BAD_RESPONSE", "status": 500 }, "eventAttributes": { "Identifier": 2025732, "VersionNumber": "A.43" }, "msg": "msg:data:error", "time": ":48:38.213Z", "v": 0 }

If your actual events are non-compliant, Splunk will not have a value for error.status.

By the way, the command "eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx")" is wasted as your stats command does not use the field status.