- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Salesforce object: response status=400
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Salesforce object: response status=400
Hello, i have data that came in as of yesterday but over a period of time (24hrs after), CASE object data are not coming into splunk and looking at my index=_internal,
2018-06-12 01:42:15,903 +0000 log_level=ERROR, pid=32750, tid=MainThread, file=task.py, func_name=_send_request, code_line_no=465 | **[stanza_name=SF_Case] The response status=400** for request which url=https://xxx.com/services/data/v39.0/query?q=SELECT%20CaseNumber%2CParent%2CPriority%2CStatus%2CSubject%2CType%2CLastModifiedDate%20FROM%20Case%20WHERE%20LastModifiedDate%3E2018-03-13T00%3A00%3A00.000z%20ORDER%20BY%20LastModifiedDate%20LIMIT%201000 and method=GET.
What seems to be the problem with the intermittent issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this same problem after upgrading the add-on to the most recent version 4.01 which support v42-v48 of the API. After comparing the queries
Old API v39:
https://xxxxx.salesforce.com/services/data/v39.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE LogDate>=2020-09-09T00:00:00.000+0000 ORDER BY LogDate LIMIT 1000
New API v42:
https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate,CreatedDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Hourly' ORDER BY CreatedDate LIMIT 1000
OR
https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Daily' ORDER BY CreatedDate LIMIT 1000
Note the difference is the `AND Interval="Hourly/Daily"`
After editing input_module_sfdc_event_log.py and commenting out the following lines 70 & 77, this works properly:
70: #terms.append("AND Interval='%s'" % lv.capitalize())
77: #terms.append("AND Interval='%s'" % lv.capitalize())
BTW, I have it set to Hourly so that it's also not collecting the CreatedDate field (just like the v39 API calls)
Hope this helps - and hope the owner fixes this TA!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll get error 400 if any of your variable names are incorrect. If you have a listing of all the Salesforce CaseFields it will help tremendously.
Glancing through the variables you listed, Parent may be the offending field. I think it should be ParentId. even using ParentId could be problematic for you - it's a lookup, so it may not work straight out of the box.
Try removing Parent. If you have any incorrect field name (typos, etc.) then the entire search fails (400).
CaseNumber, Priority, Status, Subject, Type, LastModifiedDate are all valid fields according to what I'm seeing in the Salesforce CaseFields spreadsheet.
When running into response status=400, I think it's easier to build the statement one variable at a time. Start with CaseNumber and watch the log files. Add Priority, and watch log files. You'll know as soon as a bad field is added. For watching log files, I like this search:
$ tail -f /opt/splunk/var/log/splunk/splunk_ta_salesforce_sfdc_object*.log | grep -E "need been terminated|No more task|Collecting events|Invoking request|Query SOQL|response status"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we are not able to understand whether you posted the error or not.
Could you please elloborate
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
