Hello, i have data that came in as of yesterday but over a period of time (24hrs after), CASE object data are not coming into splunk and looking at my index=_internal,
2018-06-12 01:42:15,903 +0000 log_level=ERROR, pid=32750, tid=MainThread, file=task.py, func_name=_send_request, code_line_no=465 | **[stanza_name=SF_Case] The response status=400** for request which url=https://xxx.com/services/data/v39.0/query?q=SELECT%20CaseNumber%2CParent%2CPriority%2CStatus%2CSubject%2CType%2CLastModifiedDate%20FROM%20Case%20WHERE%20LastModifiedDate%3E2018-03-13T00%3A00%3A00.000z%20ORDER%20BY%20LastModifiedDate%20LIMIT%201000 and method=GET.
What seems to be the problem with the intermittent issue.
You'll get error 400 if any of your variable names are incorrect. If you have a listing of all the Salesforce CaseFields it will help tremendously.
Glancing through the variables you listed, Parent may be the offending field. I think it should be ParentId. even using ParentId could be problematic for you - it's a lookup, so it may not work straight out of the box.
Try removing Parent. If you have any incorrect field name (typos, etc.) then the entire search fails (400).
CaseNumber, Priority, Status, Subject, Type, LastModifiedDate are all valid fields according to what I'm seeing in the Salesforce CaseFields spreadsheet.
When running into response status=400, I think it's easier to build the statement one variable at a time. Start with CaseNumber and watch the log files. Add Priority, and watch log files. You'll know as soon as a bad field is added. For watching log files, I like this search:
$ tail -f /opt/splunk/var/log/splunk/splunk_ta_salesforce_sfdc_object*.log | grep -E "need been terminated|No more task|Collecting events|Invoking request|Query SOQL|response status"