Accept License Agreements

Thank You

Downloading Splunk Add-on for Salesforce
MD5 checksum (splunk-add-on-for-salesforce_10beta.tgz) 3698a2d1dcf61175b45b4cb3950e4f42
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk Add-on for Salesforce

Splunk Built
Overview
Details
The Splunk Add-on for Salesforce allows a Splunk software administrator to collect different types of data from Salesforce using REST APIs. The data includes:

* Event log file data, https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm.
* Output of Salesforce object queries (SOQL).

This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence.

Introduction

The Splunk Add-on for Salesforce allows a Splunk software administrator to collect different types of data from Salesforce using REST APIs. The data includes:

This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security, the Splunk App for PCI Compliance, and Splunk IT Service Intelligence.

Requirements

Splunk Version: 6.4 and later
CIM version: 4.6

Source types of Splunk Add-on for Salesforce:

  • sfdc:logfile: Salesforce event log data.
  • sfdc:<object_name>: Salesforce object data. The <object_name> is the name of the Salesforce object.

Prerequisites

To collect the data from Salesforce, create a Salesforce account with the following permission:

  1. Read access to the Salesforce objects you want to get data from.
  2. (Optional) A security token created for the account to access the Salesforce Rest API. For instructions on how to create the security token, refer to this link: https://help.salesforce.com/articleView?id=user_security_token.htm. Note that a security token is not needed if your machine IP is within the Salesforce trusted IP range.

To collect Salesforce Event Log data, enable the Salesforce Event Log File API. For any questions about this API, please contact your Salesforce admin or Salesforce sales representative.

Configure inputs for Splunk add-on for Salesforce

You can use Splunk Web to collect data from Salesforce.

Add a Salesforce account to Splunk Add-on for Salesforce

  1. Click Splunk Add-on for Salesforce in the left navigation bar on Splunk Web home.
  2. Go to Configuration > Account, click Add, and then enter the following fields:
    • Account Name: Enter a unique account name.
    • Username: Enter the username of your Salesforce account.
    • Password: Enter the password of your Salesforce account.
  3. (Optional) If you are using proxy, enter the related fields under Configuration > Proxy.

Create an input

  1. To collect Salesforce Object data, under the Inputs tab, select Create New Input > Salesforce Object.
    • Name: A unique name for the input.
    • Interval: The number of seconds to wait before the Splunk platform collects data again.
    • Index: The index in which to store data.
    • Salesforce account: Choose from the Salesforce accounts you want to use.
    • Salesforce environment: Choose a Salesforce environment.
    • (Optional)Security token: This field is optional if your machine IP is within the Salesforce trusted IP range.
    • Object: Enter the Salesforce object name you want to query for.
    • Object fields: Enter the object fields from which to collect data. Delimit multiple fields using commas.
    • Order by: Enter the datetime field by which to query results in ascending order.
    • Query start date: The datetime after which to query and index records.
    • Limit: The maximum number of results returned by the query (up to 1000 for standard objects and 500 for custom objects).
  2. To collect Salesforce Event Log data, under the Inputs tab, select Create New Input > Salesforce Event Log.
    • Name: A unique name for the input.
    • Interval: The number of seconds to wait before the Splunk platform collects data again.
    • Index: The index in which to store data.
    • Salesforce account: Choose from the Salesforce accounts you want to use.
    • Salesforce environment: Choose a Salesforce environment.
    • (Optional)Security token: This field is optional if your machine IP is within the Salesforce trusted IP range.
    • Query start date: The datetime after which to query and index records.

Validate the data is coming in

After configuring the data input for Splunk Add-on for Salesforce, enter sourcetype=sfdc:logfile or sourcetype=sfdc:<object name=""> in Splunk Search to see whether the data is coming in.

Lookups

The Splunk Add-on for Salesforce includes the following lookup. The lookup is used to enrich the Salesforce events coming from Event Log File and LoginHistory.

lookup_sfdc_usernames.csv: It maps USER_ID to user's information, such as UserId,Email,Username,Name,LastName,FirstName,etc.

Follow the steps to populate data in the lookup:

  1. Add a new Salesforce Object input for User. Follow the first step of "Create an Input" instruction. Use these values in the fields below:
    • Object: User
    • Object fields: LastModifiedDate, City, Country, FirstName,Id,IsActive, LastLoginDate, LastName, Latitude, Longitude, MobilePhone, Name, PostalCode, State, Username, UserRoleId, UserType, Email, CompanyName, ProfileId, Profile.PermissionsApiEnabled, Profile.PermissionsModifyAllData, Profile.PermissionsViewSetup
    • Order by: LastModifiedDate
  2. Go to Settings > Searches, Reports and Alerts, and enable the saved search ‘Lookup-USERID to USER_NAME’.

Troubleshooting

To see the log of the two Salesforce data inputs, use the following SPL:

index=_internal sourcetype=sfdc:object:log: The internal logs for Salesforce Object data input.
index=_internal sourcetype=sfdc:eventlog:log: The internal logs for Salesforce Event Log data input.

For general troubleshooting, see http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons.

Release Notes

Version 1.0beta
April 19, 2017

WARNING
=========
Please note this is the beta version of Splunk Add-on for Salesforce.
* You may encounter bugs and performance issues when using this add-on. Send your feedback to us at https://answers.splunk.com.
* The beta version of Splunk Add-on for Salesforce does not support the Splunk App for Salesforce. You must uninstall Splunk App for Salesforce before using this add-on.
* For terms and conditions with regards to use the beta version, see https://www.splunk.com/en_us/legal/splunk-pre-release-software-license-agreement.html

19
Installs
23
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.