Troubleshoot the Splunk Add-on for Salesforce
Considerations for non-Admin users
To configure inputs, a power user needs to have the
Splunk Add-on for Salesforce log
To check for errors in the internal logs for this add-on, you can perform this search:
You can configure the logging verbosity on the setup page for the add-on, or in
Data collection stops after upgrading
If your data collection stops after upgrading from version 1.0.0, check that you followed the steps in the Upgrade topic of this manual.
If data collection still is not working, run the following search to check whether an input is misconfigured:
index="_internal" sourcetype="sfdc:*" (log_level=WARNING OR log_level=ERROR) <input_name>
The resultant Warning or Error log lists missing configurations or inaccurate credentials. In your add-on, edit the input to complete or correct these configurations.
Collecting data from custom objects
If you have created custom objects in your Salesforce instance, complete the following two steps:
- Add the custom object to your
- Add two underscores and a lowercase "c" to the end of the object name: __c.
The following stanza is an example of a custom object in a local
[sfdc_object://setup_audit_trail] account = interval = 12 limit = 1000 object = setup_audit_trail__c object_fields = audit_name__c,Name disabled = 1
Add-on exits when opened
refresh_token on your Salesforce environment is not configured for your account <<account_name>>. the Splunk Add-on for Salesforce will exit.
If you receive the Salesforce refresh_token is not configured for account "<<account_name>>". Add-on is going to exit., use the following steps to troubleshoot this issue.
- In your Salesforce deployment, navigate to Setup > Apps > App Manager > Edit for the connected app that you are using in the Splunk Add-on for Salesforce.
- In your selected app, select Selected OAuth Scopes > API (Enable OAuth Settings), and verify that Perform requests on your behalf at any time (
offline_access) is available in Available OAuth Scopes.
- Select Perform requests on your behalf at any time (
offline_access) in Available OAuth Scopes and add it to Selected OAuth Scopes
- Click Save.
- Wait approximately 10 minutes for your changes to take effect on the server, before using the connected app.
- Navigate to your Splunk platform deployment. From the Apps menu, select the Splunk Add-on for Salesforce.
- Disable all your configured inputs.
- From the Splunk Add-on for Salesforce main menu, navigate to Configuration > Account
- Edit the <<account_name>> that is receiving the error.
- Enter the Client Secret and click Update.
- After authenticating, re-enable your configured inputs.
- Verify that data collection has started.
Salesforce server connection issues
If there is a "Connection timed out" error in the log file, check the connection with the server using the following command:
curl -I https://<URL_of_the_Salesforce_endpoint>/services/data
The following message displays if the connection with the salesforce server is successful:
HTTP/1.1 200 OK
If there is no successful connection, verify that your firewall rules allow the connection with the server.
Inconsistent kv extraction in sfdc:logfile sourcetype
Some of the event types in the
sfdc:logfile sourcetype, extra double quotes appear in some fields. This causes inconsistent key-value pair extractions in the Splunk software, leading to some of the fields not being extracted. This issue is caused on the Salesforce side of your deployment, and not from this add-on or Splunk platform software side. If you experience this issue, report it to Salesforce Inc.
CSV Error: field larger than field limit
If a customer is facing below error for Salesforce Event Log input:
File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 234, in _post_process 'post') File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 218, in _execute_handlers data = handler.execute(context) File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 34, in execute result = callable_method(*args) File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/plugin/cce_plugin_sfdc.py", line 111, in read_event_log_file for row in csv_reader: File "/apps/splunk/lib/python2.7/csv.py", line 108, in next row = self.reader.next() Error: field larger than field limit (10485760)
The root cause is that incoming events from your Salesforce deplpoyment are larger than the 10485760 CSV limit provided in the add-on.
To resolve this issue, add the below stanza to yoour
[general] csv_limit = <Number>
The value of
csv_limit should be greater than the Event size which is coming into the CSV stream. Maximum allowed value is 2147483647.
Missing Events from Salesforce
If there are missing events observed by the Salesforce Object Input, it could be due to a delay from the Salesforce platform for publishing events. Configure the delay parameter accordingly to avoid data loss. See Configure Salesforce Object Inputs for the Splunk Add-on for Salesforce.
Enable saved search for the Splunk Add-on for Salesforce
Lookups for the Splunk Add-on for Salesforce
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released