Hello, i have data that came in as of yesterday but over a period of time (24hrs after), CASE object data are not coming into splunk and looking at my index=_internal,
2018-06-12 01:42:15,903 +0000 log_level=ERROR, pid=32750, tid=MainThread, file=task.py, func_name=_send_request, code_line_no=465 | **[stanza_name=SF_Case] The response status=400** for request which url=https://xxx.com/services/data/v39.0/query?q=SELECT%20CaseNumber%2CParent%2CPriority%2CStatus%2CSubject%2CType%2CLastModifiedDate%20FROM%20Case%20WHERE%20LastModifiedDate%3E2018-03-13T00%3A00%3A00.000z%20ORDER%20BY%20LastModifiedDate%20LIMIT%201000 and method=GET.
What seems to be the problem with the intermittent issue.
I had this same problem after upgrading the add-on to the most recent version 4.01 which support v42-v48 of the API. After comparing the queries
Old API v39:
https://xxxxx.salesforce.com/services/data/v39.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE LogDate>=2020-09-09T00:00:00.000+0000 ORDER BY LogDate LIMIT 1000
New API v42:
https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate,CreatedDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Hourly' ORDER BY CreatedDate LIMIT 1000
https://xxxxx.salesforce.com/services/data/v42.0/query?q=SELECT Id,EventType,LogDate FROM EventLogFile WHERE CreatedDate>=2020-09-10T00:00:00.000+0000 AND Interval='Daily' ORDER BY CreatedDate LIMIT 1000
Note the difference is the `AND Interval="Hourly/Daily"`
After editing input_module_sfdc_event_log.py and commenting out the following lines 70 & 77, this works properly:
70: #terms.append("AND Interval='%s'" % lv.capitalize())
77: #terms.append("AND Interval='%s'" % lv.capitalize())
BTW, I have it set to Hourly so that it's also not collecting the CreatedDate field (just like the v39 API calls)
Hope this helps - and hope the owner fixes this TA!!
You'll get error 400 if any of your variable names are incorrect. If you have a listing of all the Salesforce CaseFields it will help tremendously.
Glancing through the variables you listed, Parent may be the offending field. I think it should be ParentId. even using ParentId could be problematic for you - it's a lookup, so it may not work straight out of the box.
Try removing Parent. If you have any incorrect field name (typos, etc.) then the entire search fails (400).
CaseNumber, Priority, Status, Subject, Type, LastModifiedDate are all valid fields according to what I'm seeing in the Salesforce CaseFields spreadsheet.
When running into response status=400, I think it's easier to build the statement one variable at a time. Start with CaseNumber and watch the log files. Add Priority, and watch log files. You'll know as soon as a bad field is added. For watching log files, I like this search:
$ tail -f /opt/splunk/var/log/splunk/splunk_ta_salesforce_sfdc_object*.log | grep -E "need been terminated|No more task|Collecting events|Invoking request|Query SOQL|response status"