Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in result

r_s01
Explorer
‎01-09-2025 05:52 AM

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736430323297.png

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in above shared result, Any idea? or any instruction for debugging so that we can find the root cause. Let me know if more details is needed.

r_s01_1-1736430551973.png

 

Labels (1)
Labels
0 Karma
Reply

PaulPanther
Motivator
‎01-09-2025 06:11 AM

You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set.

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 07:11 AM

When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_0-1736435471028.png

 

any suggestion?

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 06:47 AM

Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL 

r_s01_1-1736434013636.png

 

r_s01_0-1736433924864.png
When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_1-1736435343053.png

 

 

0 Karma
Reply

r_s01
Explorer
‎01-09-2025 07:04 AM

There is still no response for 404 status code, its only coming for below query

r_s01_0-1736435118708.png

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736434931307.png

 

0 Karma
Reply

PaulPanther
Motivator
‎01-09-2025 07:07 AM

Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events.

Reply

PaulPanther
Motivator
‎01-09-2025 06:50 AM

Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=*
| chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

 

Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

[Puzzles] Solve, Learn, Repeat: Nested loops in Event Conversion

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...