Troubleshoot the Splunk Add-on for Salesforce

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Splunk Add-on for Salesforce log

To check for errors in the internal logs for this add-on, you can perform this search:

index=_internal sourcetype=sfdc:object:log

OR

index=_internal sourcetype=sfdc:eventlog:log

OR

index=_internal sourcetype=sfdc:utils

You can configure the logging verbosity on the setup page for the add-on, or in $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/splunk_ta_salesforce_settings.conf.

Data collection stops after upgrading

If your data collection stops after upgrading from version 1.0.0, check that you followed the steps in the Upgrade topic of this manual.

If data collection still is not working, run the following search to check whether an input is misconfigured:

index="_internal" sourcetype="sfdc:*" (log_level=WARNING OR log_level=ERROR) <input_name>

The resultant Warning or Error log lists missing configurations or inaccurate credentials. In your add-on, edit the input to complete or correct these configurations.

Collecting data from custom objects

If you have created custom objects in your Salesforce instance, complete the following two steps:

• Add the custom object to your splunk/etc/apps/Splunk_TA_salesforce/local/inputs.conf file.
• Add two underscores and a lowercase "c" to the end of the object name: __c.

The following stanza is an example of a custom object in a local inputs.conf file:

[sfdc_object://setup_audit_trail]
account =
interval = 12
limit = 1000
object = setup_audit_trail__c
object_fields = audit_name__c,Name
disabled = 1 

Add-on exits when opened

When the refresh_token on your Salesforce environment is not configured for your account <<account_name>>. the Splunk Add-on for Salesforce will exit.

If you receive the Salesforce refresh_token is not configured for account "<<account_name>>". Add-on is going to exit., use the following steps to troubleshoot this issue.

1. In your Salesforce deployment, navigate to Setup > Apps > App Manager > Edit for the connected app that you are using in the Splunk Add-on for Salesforce.
2. In your selected app, select Selected OAuth Scopes > API (Enable OAuth Settings), and verify that Perform requests on your behalf at any time (refresh_token, offline_access) is available in Available OAuth Scopes.
3. Select Perform requests on your behalf at any time (refresh_token, offline_access) in Available OAuth Scopes and add it to Selected OAuth Scopes
4. Click Save.
5. Wait approximately 10 minutes for your changes to take effect on the server, before using the connected app.
6. Navigate to your Splunk platform deployment. From the Apps menu, select the Splunk Add-on for Salesforce.
7. Disable all your configured inputs.
8. From the Splunk Add-on for Salesforce main menu, navigate to Configuration > Account
9. Edit the <<account_name>> that is receiving the error.
10. Enter the Client Secret and click Update.
11. After authenticating, re-enable your configured inputs.
12. Verify that data collection has started.

Salesforce server connection issues

If there is a "Connection timed out" error in the log file, check the connection with the server using the following command:

curl -I https://<URL_of_the_Salesforce_endpoint>/services/data

The following message displays if the connection with the salesforce server is successful:

HTTP/1.1 200 OK

If there is no successful connection, verify that your firewall rules allow the connection with the server.

Inconsistent kv extraction in sfdc:logfile sourcetype

Some of the event types in the sfdc:logfile sourcetype, extra double quotes appear in some fields. This causes inconsistent key-value pair extractions in the Splunk software, leading to some of the fields not being extracted. This issue is caused on the Salesforce side of your deployment, and not from this add-on or Splunk platform software side. If you experience this issue, report it to Salesforce Inc.

CSV Error: field larger than field limit

If a customer is facing below error for Salesforce Event Log input:

File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 234, in _post_process 'post') 
File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 218, in _execute_handlers data = handler.execute(context) 
File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 34, in execute result = callable_method(*args) 
File "/apps/splunk/etc/apps/Splunk_TA_salesforce/lib/splunk_ta_salesforce/cloudconnectlib/plugin/cce_plugin_sfdc.py", line 111, in read_event_log_file for row in csv_reader: 
File "/apps/splunk/lib/python2.7/csv.py", line 108, in next row = self.reader.next()
Error: field larger than field limit (10485760) 

The root cause is that incoming events from your Salesforce deplpoyment are larger than the 10485760 CSV limit provided in the add-on.

To resolve this issue, add the below stanza to yoour splunk/etc/apps/Splunk_TA_salesforce/local/splunk_ta_salesforce_settings.conf file.

[general]
csv_limit = <Number>

The value of csv_limit should be greater than the Event size which is coming into the CSV stream. Maximum allowed value is 2147483647.

Missing Events from Salesforce

If there are missing events observed by the Salesforce Object Input, it could be due to a delay from the Salesforce platform for publishing events. Configure the delay parameter accordingly to avoid data loss. See Configure Salesforce Object Inputs for the Splunk Add-on for Salesforce.