Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in result

r_s01
Explorer
a month ago

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736430323297.png

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in above shared result, Any idea? or any instruction for debugging so that we can find the root cause. Let me know if more details is needed.

r_s01_1-1736430551973.png

 

Labels (1)
Labels
0 Karma
Reply

PaulPanther
Motivator
a month ago

You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set.

0 Karma
Reply

r_s01
Explorer
a month ago

When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_0-1736435471028.png

 

any suggestion?

0 Karma
Reply

r_s01
Explorer
a month ago

Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL 

r_s01_1-1736434013636.png

 

r_s01_0-1736433924864.png
When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_1-1736435343053.png

 

 

0 Karma
Reply

r_s01
Explorer
a month ago

There is still no response for 404 status code, its only coming for below query

r_s01_0-1736435118708.png

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736434931307.png

 

0 Karma
Reply

PaulPanther
Motivator
a month ago

Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events.

Reply

PaulPanther
Motivator
a month ago

Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=*
| chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...