topic Re: Salesforce lookup table error in Splunk Cloud Platform

Salesforce lookup table error

tv00638481 — Sat, 27 Jan 2024 13:24:44 GMT

Hi ,
We have onboarded Salesforce in our environment. However when we run the queries, we could notice below errors are getting continuously across the instance whenever any query is being run and also showing on all the dashboards.

[idx-i- xxxx.splunkcloud.com,idx-i-04xxxx.xxxx.splunkcloud.com,idx-i-075xxx.xxx.splunkcloud.com.idx-i-
Oaxxx.xxxx.splunkcloud.com,idx-i-0be.xxxx splunkcloud.com,sh-i-026xxx.xxxx.splunkcloud.com] Could not load lookup=LOOKUP-SFDC-USER_NAME

Re: Salesforce lookup table error

tscroggins — Sat, 27 Jan 2024 22:11:14 GMT

Hi @tv00638481,

Make sure Splunk Add-on for Salesforce is installed on the search head and verify the lookup_sfdc_usernames KV store lookup definition is shared globally and accessible to everyone who needs to use Salesforce App for Splunk.

Also make sure the Lookup - USER_ID to USER_NAME saved search is enabled and scheduled. This is the search that populates the lookup. To improve performance, modify the saved search to user your Salesforce index instead of index=*. Splunk normally uses macros to specify indexes, but that was overlooked in this add-on.

Re: Salesforce lookup table error

tv00638481 — Sun, 28 Jan 2024 06:02:17 GMT

Hi
Thank you for the response.

On SH, we are not getting this error.

We getting these errors on ES and the app is available there and it's accessible globally. We are running query specific to Salesforce index only.

Re: Salesforce lookup table error

tscroggins — Sun, 28 Jan 2024 06:10:16 GMT

If you're using Splunk Cloud Classic Experience, the add-on needs to be installed on your ES SH as well.

Re: Salesforce lookup table error

tv00638481 — Sun, 28 Jan 2024 11:29:13 GMT

Addon is also installed.

Re: Salesforce lookup table error

tscroggins — Sun, 28 Jan 2024 17:50:24 GMT

What happens you run the following command from <your_stack_url>/app/splunk-app-sfdc/search:

| inputlookup lookup_sfdc_usernames

Do you see any results?

Do you have any duplicate definitions of LOOKUP-SFDC-USER_NAME under Settings > Lookups > Automatic Lookups with App: All and Owner: Any?

When you search against sourcetype=sfdc:loginhistory, do you still see errors? You can view search logs from Job > Inspect Job. In search.log, search for LOOKUP-SFDC-USER_NAME to see additional context. To view logs from indexers, add noop to your search:

index=your_index sourcetype=sfdc:loginhistory
| noop remote_log_fetch=*

Re: Salesforce lookup table error

rbudini_splunk — Wed, 31 Jan 2024 02:18:23 GMT

The reason you are getting this message is because the indexers do not have the LOOKUP-SFDC-USER_NAME

The following Knowledge Article explains what is happening.

To get off this message I would suggest you open a support case and the Splunk Cloud engineer will be able to address this for you.

Robertino

Re: Salesforce lookup table error

tv00638481 — Wed, 31 Jan 2024 15:25:19 GMT

Hi,

I could get the results when I run the command. My observation about the lookup file between SH and ES on SH is , the .CSV extension is missing.once added it's running.

I'm trying understand the below query to implement.

Firstly, the description provided in the usecase is not clearly understood . I got this usecase from the splunk SF content search.

Anyone has idea about this query.

https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Protecting_a_Salesforce_cloud_deployment/Spike_in_exported_records_from_Salesforce_cloud

ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
|lookup lookup_sfdc_usernames USER_ID
|bucket _time span=1d 
|stats sum(ROWS_PROCESSED) AS rows BY _time Username
|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'rows',null))) AS rows avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS stdev BY Username
|eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)
|where 'rows' > upperBound AND num_data_samples >=7

Re: Salesforce lookup table error

tv00638481 — Fri, 01 Mar 2024 14:57:33 GMT

got it thank you.