Splunk® Supported Add-ons

Splunk Add-on for Salesforce

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Salesforce

The latest release of the Splunk Add-on for Salesforce is version 4.9.0. See the release notes for more information.

To upgrade to the latest version of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

Version 4.8.1

Version 4.8.1 of the Splunk Add-on for Salesforce was released on December 22, 2023.

Compatibility

Version 4.8.1 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 9.0.x, 9.1.x
CIM 5.1.1
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 58.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.8.1 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.8.1 of the Splunk Add-on for Salesforce provides the following features:

  • Fixed the security vulnerabilities found in the urllib3 library by upgrading their version from 1.26.12 to 1.26.18.

Fixed issues

Version 4.8.1 of the Splunk Add-on for Salesforce fixes the following (if any) issues:


Known issues

Version 4.8.1 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-10-27 ADDON-65826 Not able to access salesforce add-on when assigning the 'list_storage_passowrds' capabilities to non-admin local user in Splunk
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.


Version 4.8.0

Version 4.8.0 of the Splunk Add-on for Salesforce was released on Aug 11, 2023.

Compatibility

Version 4.8.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.2.x, 9.0.x
CIM 5.1.1
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 58.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.8.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.8.0 of the Splunk Add-on for Salesforce provides the following features:

  • Support for Salesforce API version 57.0 and 58.0.
  • Enhanced the EventLogFile input data collection to handle the scenario where a particular EventLogFile gets deleted from the Salesforce server.

Fixed issues

Version 4.8.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2023-08-09 ADDON-62516 Increase oauth_timeout to give enough time for MFA

Known issues

Version 4.8.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-10-27 ADDON-65826 Not able to access salesforce add-on when assigning the 'list_storage_passowrds' capabilities to non-admin local user in Splunk
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.

Version 4.7.1

Version 4.7.1 of the Splunk Add-on for Salesforce was released on May 22, 2023.

Compatibility

Version 4.7.1 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 56.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.7.1 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.7.1 of the Splunk Add-on for Salesforce provides no new features.

Fixed issues

Version 4.7.1 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2023-05-21 ADDON-62126 Data collection halts and the "Record id not found" error is seen in logs due to the "NOT_FOUND" keyword present in the EventLogFile events

Known issues

Version 4.7.1 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-05-24 ADDON-62516 Increase oauth_timeout to give enough time for MFA
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.


Version 4.6.1

Version 4.6.1 of the Splunk Add-on for Salesforce was released on February 18, 2023

Compatibility

Version 4.6.1 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 56.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.6.1 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.6.1 of the Splunk Add-on for Salesforce provides the following new features:

  • Fixed issue related to scripted lookup not working on Search Heads.

Fixed issues

Version 4.6.1 of the Splunk Add-on for Salesforce fixes the following (if any) issues:


Known issues

Version 4.6.1 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.

Version 4.6.0

Version 4.6.0 of the Splunk Add-on for Salesforce was released on November 1, 2022.

Compatibility

Version 4.6.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 56.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.6.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.6.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Added support for the delay parameter in Salesforce Object input. For more information on the delay parameter, see Configure your Salesforce account to collect data.
  • Updated the data collection mechanism in the add-on to resolve performance issues.
  • Minor Bug-fixes.

Fixed issues

Version 4.6.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:


Known issues

Version 4.6.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.

Version 4.5.0

Version 4.5.0 of the Splunk Add-on for Salesforce was released on November 1, 2022.

Compatibility

Version 4.5.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 56.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.5.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.5.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API version 55.0 and 56.0.

Fixed issues

Version 4.5.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Known issues

Version 4.5.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.


Version 4.4.0

Version 4.4.0 of the Splunk Add-on for Salesforce was released on April 28, 2022.

Compatibility

Version 4.4.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 54.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Upgrade

To upgrade to version 4.4.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.4.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API version 54.0.


Fixed issues

Version 4.4.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:


Known issues

Version 4.4.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.


Version 4.3.0

Version 4.3.0 of the Splunk Add-on for Salesforce was released on February 28, 2022.

Compatibility

Version 4.3.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 5.0.0
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 53.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


Upgrade

To upgrade to version 4.3.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.3.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API version 53.0.
  • Compatibility with CIM version 5.0.0
  • Migrated CSV lookups to KVStore.
  • Migrated from httplib2 to requests library.
  • Provided SSL certificate management.
  • Removed the support for SOCKS4 proxy.


From the Salesforce add-on release 4.3.0 onward, we have removed the support of SOCKS4 proxy. We recommend using an HTTP or SOCKS5 proxy instead.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Field Changes

Source-type EVENT_TYPE Fields added Fields removed
['sfdc:logfile'] Report, ApexCallout, SearchClick, API, ApexRestApi, AuraRequest, VisualforceRequest, ApexTrigger, AsyncReportRun, Login, OneCommerceUsage, Dashboard, URI, ExternalODataCallout, Sites, LightningInteraction, MetadataApiOperation, RestApi, ApexExecution, LightningPageView, LightningPerformance, Search dest_nt_domain
['sfdc:logfile'] Logout src_user, vendor_account dest_nt_domain


Fixed issues

Version 4.3.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2022-02-21 ADDON-14557 Possible data loss when modular input exits (Restart Splunk, disable input) during data collection

Known issues

Version 4.3.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.


Version 4.2.2

Version 4.2.2 of the Splunk Add-on for Salesforce was released on Sept 8, 2021.

Compatibility

Version 4.2.2 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.18.1
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 52.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


Upgrade

To upgrade to version 4.2.2 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.2.2 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API version 52.0.
  • Fast and intuitive UI with an improved look and feel.
  • Fixed critical security issue by removing jquery2.
  • Removed python2 support. Splunk only supports python3 for future releases.
  • Minor bug fixes.


See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.2.2 of the Splunk Add-on for Salesforce fixes the following (if any) issues:


Known issues

Version 4.2.2 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:
Splunk Add-on for Salesforce third-party software credits.

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Salesforce was released on April 2, 2021.

Compatibility

Version 4.1.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x,
CIM 4.18.1
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 51.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


Upgrade

To upgrade to version 4.1.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.1.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API versions 49.0 to 51.0.
  • Support for CIM version 4.18.1.
  • Changes related to the Common Information Model (CIM) mappings:
    • Mapped the Change DM for the Logout event type for the sfdc:logfile source type.
    • Removed the Web data model tag for the Sites and URI event types for the sfdc:logfile sourcetype.
    • Removed Web and Change data models for the API of sfdc:logfile sourcetype.
    • Added one scripted lookup lookup_sfdc_user_agent_scripted for enhanced mapping of the http_user_agent CIM field.
    • Removed the static lookup lookup_sfdc_user_agent.csv, which was giving incorrect values for the http_user_agent field.
    • Added the CIM field dest for the sfdc:logfile source type events. The value of this field is populated from the extra field SplunkRetrievedServer (for the SFDC server hostname retrieved by Splunk), which is added to the raw event.
    • Updated the CIM Action field values for the Web data model as per the standard http response codes.
  • Resolved a sfdc:logfile sourcetype issue where data was not collected for very large events in CSV files.
  • Enhanced UI validations.
  • Minor bug fixes.


See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.1.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Known issues

Version 4.1.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-15 ADDON-38307 Splunk_TA_Salesforce ingests ApexJob event log only 1 time even though the status is changed from Queued to others.
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:

Version 4.0.3

Version 4.0.3 of the Splunk Add-on for Salesforce was released on February 17, 2021.

Compatibility

Version 4.0.3 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.15
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 48.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


Upgrade

To upgrade to version 4.0.3 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.0.3 of the Splunk Add-on for Salesforce provides the following new features:

  • Removed cyclic dependency for the lookup in props.conf.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.0.3 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2021-02-09 ADDON-33531 Cyclic dependent fields in the LOOKUP configuration of props.conf file.

Known issues

Version 4.0.3 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Version 4.0.3 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:


Version 4.0.2

Version 4.0.2 of the Splunk Add-on for Salesforce was released on October 7, 2020.

Compatibility

Version 4.0.2 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.15
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 48.0

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.


Upgrade

To upgrade to version 4.0.2 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.0.2 of the Splunk Add-on for Salesforce provides the following new features:

  • Bug fixes.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.0.2 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2020-09-29 ADDON-29287 Input UI hangs when the Account in Used is deleted
2020-09-23 ADDON-26859 Data collection stops with RelativeURIError
2020-09-21 ADDON-29058 Data collection stops while using DESC on the Order By clause

Known issues

Version 4.0.2 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-02-04 ADDON-33531 Cyclic dependent fields in the LOOKUP configuration of props.conf file.
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

Third-party software attributions

Version 4.0.2 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:


Version 4.0.1

Version 4.0.1 of the Splunk Add-on for Salesforce was released on June 30, 2020.

Compatibility

Version 4.0.1 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.15
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 48.0

Upgrade

To upgrade to version 4.0.1 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.0.1 of the Splunk Add-on for Salesforce provides the following new features:

  • Enhanced python library structure.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.0.1 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2020-07-10 ADDON-26828 Addons unable to load UI or collect data on Splunk 8.0.4, 8.0.2004 and Splunk 8.0.5
2020-07-10 ADDON-26892, ADDON-26889 Fix UI and Data collection of Addon on Splunk 8.0.4 and 8.0.2004

Known issues

Version 4.0.1 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-02-19 ADDON-33993, ADDON-33964, ADDON-34491 Stack trace is getting displayed in the input UI validation error message when user try to delete default inputs
2020-09-11 ADDON-29287 Input UI hangs when the Account in Used is deleted
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-19 ADDON-25333 Behavior changes observed for some fields in different Product Version for sourcetype="sfdc:logfile"
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2017-05-16 ADDON-14793 User cannot delete the default inputs in this add-on.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

2017-04-16 ADDON-14545 User cannot upgrade this add-on on Windows

Workaround:
Disable this add-on in Splunk settings before upgrading. Then enable it after upgrade is finished.

Third-party software attributions

Version 4.0.1 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:

Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Salesforce was released on April 2, 2020.

Compatibility

Version 4.0.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.15
Platforms Platform independent
Vendor Products Salesforce API versions 42.0 to 48.0

Upgrade

To upgrade to version 4.0.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 4.0.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API versions 42.0 to 48.0.
  • Support for descending sorting order of queries.
  • Support for hourly EventLogFile ingestion.
  • OAuth access token is automatically updated if it expires during data collection

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 4.0.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2020-02-05 ADDON-19328, ADDON-19215 Basic account credentials are not validated at the time of account configuration

Known issues

Version 4.0.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-09-11 ADDON-29287 Input UI hangs when the Account in Used is deleted
2020-09-04 ADDON-29125 Inconsistent kv extraction due to extra quotes present in Salesforce event log csv
2020-06-01 ADDON-26892, ADDON-26889 Fix UI and Data collection of Addon on Splunk 8.0.4 and 8.0.2004
2020-05-29 ADDON-26859 Data collection stops with RelativeURIError
2020-05-26 ADDON-26828 Addons unable to load UI or collect data on Splunk 8.0.4, 8.0.2004 and Splunk 8.0.5

Workaround:
As a manual workaround, the "import html" statement on Line 16 of splunk/lib/python3.7/site-packages/splunk/util.py file could be commented out, which does not require Splunk restart to take affect.
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-19 ADDON-25333 Behavior changes observed for some fields in different Product Version for sourcetype="sfdc:logfile"
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2017-05-16 ADDON-14793 User cannot delete the default inputs in this add-on.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

2017-04-16 ADDON-14545 User cannot upgrade this add-on on Windows

Workaround:
Disable this add-on in Splunk settings before upgrading. Then enable it after upgrade is finished.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:


Version 3.0.0

Version 3.0 of the Splunk Add-on for Salesforce was released on October 21, 2019.

Compatibility

Version 3.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 8.0
CIM 4.11
Platforms Platform independent
Vendor Products Salesforce API version 42.0

Upgrade

To upgrade to version 3.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

New features

Version 3.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Python 3

See Choose your Splunk Enterprise upgrade path for the Python 3 migration to learn more about migrating your deployment to Python3.

Fixed issues

Version 3.0 of the Splunk Add-on for Salesforce fixes the following (if any) issues:

Date resolved Issue number Description
2019-09-11 ADDON-20992, ADDON-20295 Fix issue: modinput throws exception for NULL value
2019-02-19 ADDON-20114 Few inputs do not consume data after upgrading sfdc addon from 1.0 to 2.0

Known issues

Version 3.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2020-02-19 ADDON-25333 Behavior changes observed for some fields in different Product Version for sourcetype="sfdc:logfile"
2020-02-04 ADDON-25183, ADDON-25885 Addons UI is not compatible with Splunk 7.3.3 and Splunk 7.3.4

Workaround:
Customer can switch to any other Splunk version compatible with all their apps and add-ons.
2018-09-05 ADDON-19328, ADDON-19215 Basic account credentials are not validated at the time of account configuration
2017-05-16 ADDON-14793 User cannot delete the default inputs in this add-on.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

2017-04-17 ADDON-14557 Possible data loss when modular input exits (Restart Splunk, disable input) during data collection
2017-04-16 ADDON-14545 User cannot upgrade this add-on on Windows

Workaround:
Disable this add-on in Splunk settings before upgrading. Then enable it after upgrade is finished.

Third-party software attributions

Version 3.0 of the Splunk Add-on for Salesforce incorporates the following third-party software libraries:


Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Salesforce was released on October 11, 2018.

The Splunk Add-on for Salesforce version 2.0.0 introduces breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Salesforce, you must follow the steps outlined in Upgrade the Splunk Add-on for Salesforce to prevent data loss.

Compatibility

Version 2.0.0 of the Splunk Add-on for Salesforce is compatible with the following software, CIM version, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Salesforce API version 42.0

Upgrade

To upgrade to version 2.0.0 of the Splunk Add-on for Salesforce, see the Upgrade topic of this manual.

Change in source names in version 2.0.0

Version 2.0.0 of the Splunk Add-on for Salesforce supports multiple accounts or custom endpoints. Therefore, there is a new field in version 2.0.0 called UserAccountId. Also, in version 2.0.0, the account and input names appear in source names. For example, the source name that was sfdc_object://LoginHistory in previous versions is sfdc_object://LoginHistory_accountname_inputname in version 2.0.0.

New features

Version 2.0.0 of the Splunk Add-on for Salesforce provides the following new features:

  • Support for Salesforce API version 42.0
  • Support for multiple accounts
  • Support for custom endpoints
  • Escaping of ampersands in the password
  • Support for OAuth 2.0 authorization
  • Provides default support for sfdc:contentversion.

Fixed issues

Version 2.0.0 of the Splunk Add-on for Salesforce fixes the following issues:

Date resolved Issue number Description
2018-05-21 ADDON-14633 This add-on does not support user to update "Query Start Date" field once it's been configured.
2018-05-17 ADDON-15807 Splunk_TA_salesforce crashes while trying do ingest large log files
2018-05-14 ADDON-16577 Customer is experiencing authentication issues with Splunk Add-on for Salesforce

Known issues

Version 2.0.0 of the Splunk Add-on for Salesforce has the following known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-08-31 ADDON-29058 Data collection stops while using DESC on the Order By clause
2020-03-15 ADDON-25586 Salesforce add-on missing some of the salesforce data due to delay on Salesforce side
2018-10-30 ADDON-20114 Few inputs do not consume data after upgrading sfdc addon from 1.0 to 2.0
2018-09-05 ADDON-19328, ADDON-19215 Basic account credentials are not validated at the time of account configuration
2017-05-16 ADDON-14793 User cannot delete the default inputs in this add-on.
2017-04-25 ADDON-14623 The data collection is slow and/or possible data loss when user add multiple inputs through inputs.conf.

Workaround:
Splunk recommends user to configure inputs via Splunk web, instead of configuring them via inputs.conf.

If user needs to configure them in inputs.conf, do the following: 1. Set "disabled = 1" of inputs.conf under default folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/inputs.conf.
2. Restart splunk.
3. Configure the inputs under local folder $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/inputs.conf.
4. Go to the inputs page of this add-on to load the inputs you just configured.
5. After loading all the inputs, go to the default folder again and set "disabled = 0"
6. Restart splunk

2017-04-17 ADDON-14557 Possible data loss when modular input exits (Restart Splunk, disable input) during data collection
2017-04-16 ADDON-14545 User cannot upgrade this add-on on Windows

Workaround:
Disable this add-on in Splunk settings before upgrading. Then enable it after upgrade is finished.

Installation overview for the Splunk Add-on for Salesforce

Complete the following steps to install and configure the Splunk Add-on for Salesforce:

  1. Install the Splunk Add-on for Salesforce.
  2. Configure your Salesforce account to collect data.
  3. Set up the Splunk Add-on for Salesforce.
  4. Configure inputs for the Splunk Add-on for Salesforce.
Last modified on 08 March, 2024
PREVIOUS
Release notes for the Splunk Add-on for Salesforce
  NEXT
Hardware and software requirements for the Splunk Add-on for Salesforce

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters