Full disclosure, I'm a Salesforce guy rather than a Splunk guy. I'm working with my internal Splunk team to try and ingest my CronTrigger and CronJobDetail objects from my org so I can monitor for some job hang statuses, or when developers make jobs with hard end dates.
The Splunk team is getting a 400 error on these objects, and their queries look okay to me. I did find a separate article in here about setting intervals for date predicates (https://community.splunk.com/t5/All-Apps-and-Add-ons/Salesforce-object-response-status-400/m-p/44400...) and I've passed that on to them to investigate. I've also suggested they try ingesting a single field from each object and see if they can get anything back.
In the meantime, has anybody here ingested these two objects into Splunk? Most of what I'm finding on Google is that a 400 message is a bad query, but can't this error also be thrown if the integration user doesn't have object access? If so I may be at an impasse since these are system objects, not standard or custom. Salesforce has these locked down so tight that even with my level of access I can't view the basic system properties to these, not that I'd be interested in messing with access around them.