All Apps and Add-ons

Salesforce object: response status=400

teddyidc1101
Communicator

Hello, i have data that came in as of yesterday but over a period of time (24hrs after), CASE object data are not coming into splunk and looking at my index=_internal,

2018-06-12 01:42:15,903 +0000 log_level=ERROR, pid=32750, tid=MainThread, file=task.py, func_name=_send_request, code_line_no=465 | **[stanza_name=SF_Case] The response status=400** for request which url=https://xxx.com/services/data/v39.0/query?q=SELECT%20CaseNumber%2CParent%2CPriority%2CStatus%2CSubject%2CType%2CLastModifiedDate%20FROM%20Case%20WHERE%20LastModifiedDate%3E2018-03-13T00%3A00%3A00.000z%20ORDER%20BY%20LastModifiedDate%20LIMIT%201000 and method=GET.

What seems to be the problem with the intermittent issue.

0 Karma

gordo32
Communicator

I had this same problem after upgrading the add-on to the most recent version 4.01 which support v42-v48 of the API. After comparing the queries

Old API v39:

https://xxxxx.salesforce.com/services/data/v39.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE LogDate>=2020-09-09T00:00:00.000+0000 ORDER BY LogDate LIMIT 1000

New API v42:

https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate,CreatedDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Hourly' ORDER BY CreatedDate LIMIT 1000

OR

https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Daily' ORDER BY CreatedDate LIMIT 1000

 

Note the difference is the `AND Interval="Hourly/Daily"`

 

After editing input_module_sfdc_event_log.py and commenting out the following lines 70 & 77, this works properly:

70: #terms.append("AND Interval='%s'" % lv.capitalize())

77: #terms.append("AND Interval='%s'" % lv.capitalize())

 

BTW, I have it set to Hourly so that it's also not collecting the CreatedDate field (just like the v39 API calls)

 

Hope this helps - and hope the owner fixes this TA!!

0 Karma

pensword
Engager

You'll get error 400 if any of your variable names are incorrect. If you have a listing of all the Salesforce CaseFields it will help tremendously.

Glancing through the variables you listed, Parent may be the offending field. I think it should be ParentId. even using ParentId could be problematic for you - it's a lookup, so it may not work straight out of the box.

Try removing Parent. If you have any incorrect field name (typos, etc.) then the entire search fails (400).

CaseNumber, Priority, Status, Subject, Type, LastModifiedDate are all valid fields according to what I'm seeing in the Salesforce CaseFields spreadsheet.

When running into response status=400, I think it's easier to build the statement one variable at a time. Start with CaseNumber and watch the log files. Add Priority, and watch log files. You'll know as soon as a bad field is added. For watching log files, I like this search:

$ tail -f /opt/splunk/var/log/splunk/splunk_ta_salesforce_sfdc_object*.log | grep -E "need been terminated|No more task|Collecting events|Invoking request|Query SOQL|response status"
0 Karma

logloganathan
Motivator

we are not able to understand whether you posted the error or not.
Could you please elloborate

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...