Enable saved search for the Splunk Add-on for Salesforce
The Splunk Add-on for Salesforce includes a preconfigured lookup generation saved search that you can enable on your search heads. You need to configure Salesforce object User inputs in order to collect the data. After the data has been indexed by the Splunk platform, manually run the saved search in order to populate the lookup file then set a frequency to run it that matches the frequency of configuration changes in your environment.
Saved search name | Description |
---|---|
Lookup - USER_ID to USER_NAME | Populates the Salesforce User object data via lookup_sfdc_usernames KV Store lookup in this event.
|
You can review and enable the saved search either in Splunk Web or in the configuration files.
Access and enable saved search in Splunk Web
To access and enable the saved search in Splunk Web:
- Go to Settings > Searches, reports, and alerts.
- Set the app context to Splunk Add-on for Salesforce.
- Click Enable next to Lookup - USER_ID to USER_NAME .
Access and enable saved search in savedsearches.conf
To access and enable the saved search in the configuration files complete the following steps:
- Go to
$SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/savedsearches.conf
. - Copy the file to
$SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local
. - In the local copy, change
disabled = 1
todisabled = 0
.
Migrating from CSV lookups to KV store lookups
- Disable the savedsearches from Splunk Web on the search head.
- Execute the below SPL query to migrate existing CSV lookup data to KVStore from your search heads:
| inputlookup lookup_sfdc_usernames.csv | fields * | rename Profile.PermissionsApiEnabled as Profile:PermissionsApiEnabled, Profile.PermissionsModifyAllData as Profile:PermissionsModifyAllData, Profile.PermissionsViewSetup as Profile:PermissionsViewSetup | outputlookup lookup_sfdc_usernames
- Enable the savedsearches from Splunk Web on the search head.
Note: For the lookup_sfdc_usernames lookup, fields Profile.PermissionsApiEnabled, Profile.PermissionsModifyAllData and Profile.PermissionsViewSetup have been renamed to Profile:PermissionsApiEnabled, Profile:PermissionsModifyAllData and Profile:PermissionsViewSetup respectively.
Configure event log inputs for the Splunk add-on for Salesforce | Troubleshoot the Splunk Add-on for Salesforce |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Feedback submitted, thanks!