Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

capture error 4xx/5xx

nithys
Communicator
‎03-13-2025 03:56 PM

Hi

Using below query to capture 4xx,5xx error ,but getting as no result found 

index=*    source IN ("/aws/lambda/*")  msg="**"
(error.status=4* OR error.status=5*)
| eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") | stats count by error.status

Screenshot 2025-03-13 at 3.49.38 PM.pngScreenshot 2025-03-13 at 3.51.18 PM.pngScreenshot 2025-03-13 at 3.48.27 PM.png

{"name":"","","pid":8,"level":50,"error":{"message":"Request failed with status code 500","name":"AxiosError","stack":"AxiosError: Request failed with status code 500\n    )","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"adapter":["xhr","http"],"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"X","xsrfHeaderName":"X-","maxContentLength":-1,"maxBodyLength":-1,"env":{},"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/json","Authorization":"","User-Agent":"","Accept-Encoding":"gzip, compress, deflate, br"},"method":"get",""},"code":"ERR_BAD_RESPONSE","status":500},"eventAttributes":{"Identifier":2025732,"VersionNumber":"A.43"},"msg":"msg:data:error","time":":48:38.213Z","v":0}

this is my raw event format mostly looks like 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-13-2025 10:33 PM

Is it possible that your raw event is noncompliant?  This is what your illustrated event format suggests.  If that format is exact, Splunk cannot extract anything other than "name" field.  There are two elements that violates JSON syntax.  The mock event contains two bare strings that are not key-value pairs, as pointed out as "MISSING-KEY1" and "MISSING-KEY2" in the following pretty-print of a "corrected" conformant JSON object:

{
    "name": "",
    "MISSING-KEY1": "",
    "pid": 8,
    "level": 50,
    "error": {
        "message": "Request failed with status code 500",
        "name": "AxiosError",
        "stack": "AxiosError: Request failed with status code 500\n    )",
        "config": {
            "transitional": {
                "silentJSONParsing": true,
                "forcedJSONParsing": true,
                "clarifyTimeoutError": false
            },
            "adapter": [
                "xhr",
                "http"
            ],
            "transformRequest": [
                null
            ],
            "transformResponse": [
                null
            ],
            "timeout": 0,
            "xsrfCookieName": "X",
            "xsrfHeaderName": "X-",
            "maxContentLength": -1,
            "maxBodyLength": -1,
            "env": {},
            "headers": {
                "Accept": "application/json, text/plain, */*",
                "Content-Type": "application/json",
                "Authorization": "",
                "User-Agent": "",
                "Accept-Encoding": "gzip, compress, deflate, br"
            },
            "method": "get",
            "MISSING-KEY2": ""
        },
        "code": "ERR_BAD_RESPONSE",
        "status": 500
    },
    "eventAttributes": {
        "Identifier": 2025732,
        "VersionNumber": "A.43"
    },
    "msg": "msg:data:error",
    "time": ":48:38.213Z",
    "v": 0
}

If your actual events are non-compliant, Splunk will not have a value for error.status.

By the way,  the command "eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx")" is wasted as your stats command does not use the field status.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2025 09:34 PM

Are your fields auto extracted, i.e. if you just do

index=*    source IN ("/aws/lambda/*")  msg="**"

in verbose search mode, do you see error.status in the left hand panel? If so, can you see values of 4xx and 5xx?

It may be that if your JSON objects are longer than 5k, the status field may not be auto extracted, so you could try

index=* source IN ("/aws/lambda/*")  msg="**"
| spath error.status
| search (error.status=4* OR error.status=5*)
| eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") 
| stats count by error.status

which will tell you if it's a JSON object limit

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...