Troubleshoot the Splunk Add-on for Salesforce
Considerations for non-Admin users
To configure inputs, a power user needs to have the
Splunk Add-on for Salesforce log
To check for errors in the internal logs for this add-on, you can perform this search:
You can configure the logging verbosity on the setup page for the add-on, or in
Data collection stops after upgrading
If your data collection stops after upgrading from version 1.0.0, check that you followed the steps in the Upgrade topic of this manual.
If data collection still is not working, run the following search to check whether an input is misconfigured:
index="_internal" sourcetype="sfdc:*" (log_level=WARNING OR log_level=ERROR) <input_name>
The resultant Warning or Error log lists missing configurations or inaccurate credentials. In your add-on, edit the input to complete or correct these configurations.
Collecting data from custom objects
If you have created custom objects in your Salesforce instance, complete the following two steps:
- Add the custom object to your
- Add two underscores and a lowercase "c" to the end of the object name: __c.
The following stanza is an example of a custom object in a local
[sfdc_object://setup_audit_trail] account = interval = 12 limit = 1000 object = setup_audit_trail__c object_fields = audit_name__c,Name disabled = 1
Add-on exits when opened
refresh_token on your Salesforce environment is not configured for your account <<account_name>>. the Splunk Add-on for Salesforce will exit.
If you receive the Salesforce refresh_token is not configured for account "<<account_name>>". Add-on is going to exit., use the following steps to troubleshoot this issue.
- In your Salesforce deployment, navigate to Setup > Apps > App Manager > Edit for the connected app that you are using in the Splunk Add-on for Salesforce.
- In your selected app, select Selected OAuth Scopes > API (Enable OAuth Settings), and verify that Perform requests on your behalf at any time (
offline_access) is available in Available OAuth Scopes.
- Select Perform requests on your behalf at any time (
offline_access) in Available OAuth Scopes and add it to Selected OAuth Scopes
- Click Save.
- Wait approximately 10 minutes for your changes to take effect on the server, before using the connected app.
- Navigate to your Splunk platform deployment. From the Apps menu, select the Splunk Add-on for Salesforce.
- Disable all your configured inputs.
- From the Splunk Add-on for Salesforce main menu, navigate to Configuration > Account
- Edit the <<account_name>> that is receiving the error.
- Enter the Client Secret and click Update.
- After authenticating, re-enable your configured inputs.
- Verify that data collection has started.
Inconsistent kv extraction in sfdc:logfile sourcetype
Some of the event types in the
sfdc:logfile sourcetype, extra double quotes appear in some fields. This causes inconsistent key-value pair extractions in the Splunk software, leading to some of the fields not being extracted. This issue is caused on the Salesforce side of your deployment, and not from this add-on or Splunk platform software side. If you experience this issue, report it to Salesforce Inc.
Enable saved search for the Splunk Add-on for Salesforce
Lookups for the Splunk add-on for Salesforce
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released