Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

capture error 4xx/5xx

nithys
Communicator
‎03-13-2025 03:56 PM

Hi

Using below query to capture 4xx,5xx error ,but getting as no result found 

index=*    source IN ("/aws/lambda/*")  msg="**"
(error.status=4* OR error.status=5*)
| eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") | stats count by error.status

Screenshot 2025-03-13 at 3.49.38 PM.pngScreenshot 2025-03-13 at 3.51.18 PM.pngScreenshot 2025-03-13 at 3.48.27 PM.png

{"name":"","","pid":8,"level":50,"error":{"message":"Request failed with status code 500","name":"AxiosError","stack":"AxiosError: Request failed with status code 500\n    )","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"adapter":["xhr","http"],"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"X","xsrfHeaderName":"X-","maxContentLength":-1,"maxBodyLength":-1,"env":{},"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/json","Authorization":"","User-Agent":"","Accept-Encoding":"gzip, compress, deflate, br"},"method":"get",""},"code":"ERR_BAD_RESPONSE","status":500},"eventAttributes":{"Identifier":2025732,"VersionNumber":"A.43"},"msg":"msg:data:error","time":":48:38.213Z","v":0}

this is my raw event format mostly looks like 

Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-13-2025 10:33 PM

Is it possible that your raw event is noncompliant?  This is what your illustrated event format suggests.  If that format is exact, Splunk cannot extract anything other than "name" field.  There are two elements that violates JSON syntax.  The mock event contains two bare strings that are not key-value pairs, as pointed out as "MISSING-KEY1" and "MISSING-KEY2" in the following pretty-print of a "corrected" conformant JSON object:

{
    "name": "",
    "MISSING-KEY1": "",
    "pid": 8,
    "level": 50,
    "error": {
        "message": "Request failed with status code 500",
        "name": "AxiosError",
        "stack": "AxiosError: Request failed with status code 500\n    )",
        "config": {
            "transitional": {
                "silentJSONParsing": true,
                "forcedJSONParsing": true,
                "clarifyTimeoutError": false
            },
            "adapter": [
                "xhr",
                "http"
            ],
            "transformRequest": [
                null
            ],
            "transformResponse": [
                null
            ],
            "timeout": 0,
            "xsrfCookieName": "X",
            "xsrfHeaderName": "X-",
            "maxContentLength": -1,
            "maxBodyLength": -1,
            "env": {},
            "headers": {
                "Accept": "application/json, text/plain, */*",
                "Content-Type": "application/json",
                "Authorization": "",
                "User-Agent": "",
                "Accept-Encoding": "gzip, compress, deflate, br"
            },
            "method": "get",
            "MISSING-KEY2": ""
        },
        "code": "ERR_BAD_RESPONSE",
        "status": 500
    },
    "eventAttributes": {
        "Identifier": 2025732,
        "VersionNumber": "A.43"
    },
    "msg": "msg:data:error",
    "time": ":48:38.213Z",
    "v": 0
}

If your actual events are non-compliant, Splunk will not have a value for error.status.

By the way,  the command "eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx")" is wasted as your stats command does not use the field status.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-13-2025 09:34 PM

Are your fields auto extracted, i.e. if you just do

index=*    source IN ("/aws/lambda/*")  msg="**"

in verbose search mode, do you see error.status in the left hand panel? If so, can you see values of 4xx and 5xx?

It may be that if your JSON objects are longer than 5k, the status field may not be auto extracted, so you could try

index=* source IN ("/aws/lambda/*")  msg="**"
| spath error.status
| search (error.status=4* OR error.status=5*)
| eval status=case(like(error.status, "4%"), "4xx", like(error.status, "5%"), "5xx") 
| stats count by error.status

which will tell you if it's a JSON object limit

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top