Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in result

r_s01
Explorer
‎01-09-2025 05:52 AM

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736430323297.png

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in above shared result, Any idea? or any instruction for debugging so that we can find the root cause. Let me know if more details is needed.

r_s01_1-1736430551973.png

 

Labels (1)
Labels
0 Karma
Reply

PaulPanther
Motivator
‎01-09-2025 06:11 AM

You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set.

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 07:11 AM

When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_0-1736435471028.png

 

any suggestion?

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 06:47 AM

Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL 

r_s01_1-1736434013636.png

 

r_s01_0-1736433924864.png
When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_1-1736435343053.png

 

 

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 07:04 AM

There is still no response for 404 status code, its only coming for below query

r_s01_0-1736435118708.png

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736434931307.png

 

0 Karma
Reply

PaulPanther
Motivator
‎01-09-2025 07:07 AM

Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events.

Reply

PaulPanther
Motivator
‎01-09-2025 06:50 AM

Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=*
| chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

 

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...