Splunk® Supported Add-ons

Splunk Add-on for Salesforce

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Salesforce

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Considerations for non-Admin users

To configure inputs, a power user needs to have the list_storage_passwords capability.

Splunk Add-on for Salesforce log

To check for errors in the internal logs for this add-on, you can perform this search:

index=_internal sourcetype=sfdc:object:log


index=_internal sourcetype=sfdc:eventlog:log

You can configure the logging verbosity on the setup page for the add-on, or in $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/splunk_ta_salesforce_settings.conf.

Data collection stops after upgrading

If your data collection stops after upgrading from version 1.0.0, check that you followed the steps in the Upgrade topic of this manual.

If data collection still is not working, run the following search to check whether an input is misconfigured:

index="_internal" sourcetype="sfdc:*" (log_level=WARNING OR log_level=ERROR) <input_name>

The resultant Warning or Error log lists missing configurations or inaccurate credentials. In your add-on, edit the input to complete or correct these configurations.

Collecting data from custom objects

If you have created custom objects in your Salesforce instance, complete the following two steps:

  • Add the custom object to your splunk/etc/apps/Splunk_TA_salesforce/local/inputs.conf file.
  • Add two underscores and a lowercase "c" to the end of the object name: __c.

The following stanza is an example of a custom object in a local inputs.conf file:

account =
interval = 12
limit = 1000
object = setup_audit_trail__c
object_fields = audit_name__c,Name
disabled = 1 

Add-on exits when opened

When the refresh_token on your Salesforce environment is not configured for your account <<account_name>>. the Splunk Add-on for Salesforce will exit.

If you receive the Salesforce refresh_token is not configured for account "<<account_name>>". Add-on is going to exit., use the following steps to troubleshoot this issue.

  1. In your Salesforce deployment, navigate to Setup > Apps > App Manager > Edit for the connected app that you are using in the Splunk Add-on for Salesforce.
  2. In your selected app, select Selected OAuth Scopes > API (Enable OAuth Settings), and verify that Perform requests on your behalf at any time (refresh_token, offline_access) is available in Available OAuth Scopes.
  3. Select Perform requests on your behalf at any time (refresh_token, offline_access) in Available OAuth Scopes and add it to Selected OAuth Scopes
  4. Click Save.
  5. Wait approximately 10 minutes for your changes to take effect on the server, before using the connected app.
  6. Navigate to your Splunk platform deployment. From the Apps menu, select the Splunk Add-on for Salesforce.
  7. Disable all your configured inputs.
  8. From the Splunk Add-on for Salesforce main menu, navigate to Configuration > Account
  9. Edit the <<account_name>> that is receiving the error.
  10. Enter the Client Secret and click Update.
  11. After authenticating, re-enable your configured inputs.
  12. Verify that data collection has started.

Inconsistent kv extraction in sfdc:logfile sourcetype

Some of the event types in the sfdc:logfile sourcetype, extra double quotes appear in some fields. This causes inconsistent key-value pair extractions in the Splunk software, leading to some of the fields not being extracted. This issue is caused on the Salesforce side of your deployment, and not from this add-on or Splunk platform software side. If you experience this issue, report it to Salesforce Inc.

Last modified on 13 October, 2020
Enable saved search for the Splunk Add-on for Salesforce
Lookups for the Splunk add-on for Salesforce

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters