Splunk® Supported Add-ons

Splunk Add-on for Salesforce

Enable saved search for the Splunk Add-on for Salesforce

The Splunk Add-on for Salesforce includes a preconfigured lookup generation saved search that you can enable on your search heads. You need to configure Salesforce object User inputs in order to collect the data. After the data has been indexed by the Splunk platform, manually run the saved search in order to populate the lookup file then set a frequency to run it that matches the frequency of configuration changes in your environment.

Saved search name Description
Lookup - USER_ID to USER_NAME Populates the Salesforce User object data via lookup_sfdc_usernames KV Store lookup in this event.

You can review and enable the saved search either in Splunk Web or in the configuration files.

Access and enable saved search in Splunk Web

To access and enable the saved search in Splunk Web:

  1. Go to Settings > Searches, reports, and alerts.
  2. Set the app context to Splunk Add-on for Salesforce.
  3. Click Enable next to Lookup - USER_ID to USER_NAME .

Access and enable saved search in savedsearches.conf

To access and enable the saved search in the configuration files complete the following steps:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/default/savedsearches.conf.
  2. Copy the file to $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local.
  3. In the local copy, change disabled = 1 to disabled = 0.

Migrating from CSV lookups to KV store lookups

  1. Disable the savedsearches from Splunk Web on the search head.
  2. Execute the below SPL query to migrate existing CSV lookup data to KVStore from your search heads:
    1. | inputlookup lookup_sfdc_usernames.csv | fields * | rename Profile.PermissionsApiEnabled as Profile:PermissionsApiEnabled, Profile.PermissionsModifyAllData as Profile:PermissionsModifyAllData, Profile.PermissionsViewSetup as Profile:PermissionsViewSetup | outputlookup lookup_sfdc_usernames
  3. Enable the savedsearches from Splunk Web on the search head.

Note: For the lookup_sfdc_usernames lookup, fields Profile.PermissionsApiEnabled, Profile.PermissionsModifyAllData and Profile.PermissionsViewSetup have been renamed to Profile:PermissionsApiEnabled, Profile:PermissionsModifyAllData and Profile:PermissionsViewSetup respectively.

Last modified on 29 January, 2024
Configure event log inputs for the Splunk add-on for Salesforce   Troubleshoot the Splunk Add-on for Salesforce

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters