Splunk Search

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in result

r_s01
Explorer

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736430323297.png

Issue is there is no response for value NULL  Under field "message.incomingRequest.lob" but its giving NULL in above shared result, Any idea? or any instruction for debugging so that we can find the root cause. Let me know if more details is needed.

r_s01_1-1736430551973.png

 

Labels (1)
0 Karma

PaulPanther
Motivator

You have events where Field message.incomingRequest.lob does not exist but field message.backendCalls{}.responseCode exists in these kind of events. That's why the "NULL" value is set.

0 Karma

r_s01
Explorer

When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_0-1736435471028.png

 

any suggestion?

0 Karma

r_s01
Explorer

Thanks is there any way though which we can re-adjust the query so that only correct lob values come. There is 404 status codes which should comes for below shared URL 

r_s01_1-1736434013636.png

 

r_s01_0-1736433924864.png
When i am trying with message.backendCalls{}.endPoint then its showing exactly where 404 is coming but i want result on the basis for LOB.

r_s01_1-1736435343053.png

 

 

0 Karma

r_s01
Explorer

There is still no response for 404 status code, its only coming for below query

r_s01_0-1736435118708.png

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" | chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

r_s01_0-1736434931307.png

 

0 Karma

PaulPanther
Motivator

Please validate your data. Based on your screenshots, it seems that when error code 404 occurs, the field message.incomingRequest.lob does not exist in these events.

PaulPanther
Motivator

Add message.incomingRequest.lob=* to your base search to filter for events that contain the field message.incomingRequest.lob

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Inbound" "message.incomingRequest.lob"=*
| chart count by "message.backendCalls{}.responseCode", "message.incomingRequest.lob"

 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...