All Apps and Add-ons

Salesforce object: response status=400


Hello, i have data that came in as of yesterday but over a period of time (24hrs after), CASE object data are not coming into splunk and looking at my index=_internal,

2018-06-12 01:42:15,903 +0000 log_level=ERROR, pid=32750, tid=MainThread,, func_name=_send_request, code_line_no=465 | **[stanza_name=SF_Case] The response status=400** for request which url= and method=GET.

What seems to be the problem with the intermittent issue.

0 Karma


I had this same problem after upgrading the add-on to the most recent version 4.01 which support v42-v48 of the API. After comparing the queries

Old API v39: Id,EventType,LogDate FROM EventLogFile WHERE LogDate>=2020-09-09T00:00:00.000+0000 ORDER BY LogDate LIMIT 1000

New API v42: Id,EventType,LogDate,CreatedDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Hourly' ORDER BY CreatedDate LIMIT 1000

OR Id,EventType,LogDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Daily' ORDER BY CreatedDate LIMIT 1000


Note the difference is the `AND Interval="Hourly/Daily"`


After editing and commenting out the following lines 70 & 77, this works properly:

70: #terms.append("AND Interval='%s'" % lv.capitalize())

77: #terms.append("AND Interval='%s'" % lv.capitalize())


BTW, I have it set to Hourly so that it's also not collecting the CreatedDate field (just like the v39 API calls)


Hope this helps - and hope the owner fixes this TA!!

0 Karma


You'll get error 400 if any of your variable names are incorrect. If you have a listing of all the Salesforce CaseFields it will help tremendously.

Glancing through the variables you listed, Parent may be the offending field. I think it should be ParentId. even using ParentId could be problematic for you - it's a lookup, so it may not work straight out of the box.

Try removing Parent. If you have any incorrect field name (typos, etc.) then the entire search fails (400).

CaseNumber, Priority, Status, Subject, Type, LastModifiedDate are all valid fields according to what I'm seeing in the Salesforce CaseFields spreadsheet.

When running into response status=400, I think it's easier to build the statement one variable at a time. Start with CaseNumber and watch the log files. Add Priority, and watch log files. You'll know as soon as a bad field is added. For watching log files, I like this search:

$ tail -f /opt/splunk/var/log/splunk/splunk_ta_salesforce_sfdc_object*.log | grep -E "need been terminated|No more task|Collecting events|Invoking request|Query SOQL|response status"
0 Karma


we are not able to understand whether you posted the error or not.
Could you please elloborate

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...