All Apps and Add-ons

Salesforce Add-On v2.0 Misses Indexing Events from Salesforce Objects

augustallen4
Explorer

Updating to the latest version of the Splunk Add-on for Salesforce v2.0 has caused what I believe to be a bug, where Splunk misses events for objects that are being monitored. I have reproduced this issue across a production system on Splunk 6.6.2 and a test instance on Splunk 7.7.3. I have not experienced this issue on earlier versions of the Salesforce Add-on. It's difficult to explain via text so I will describe how you can easily reproduce it in the hopes that it is easier to read.

Set up any input to ingest an object in Salesforce with LastModifiedDate, the default Salesforce field, as the object field for "Order By". If you have n number of these objects in Salesforce that have a LastModifiedDate more recent than your query start date (if you left query start date blank the default is 90 days ago) then you would expect the add-on to ingest and index all n objects. However, you'll find that it only indexes n-1 objects. The object with the latest LastModifiedDate will be missing. I'm confident Splunk does see this event though because the SOQL that is sent to Salesforce (identified by the _internal index with INFO logging) returns n number of events which I've confirmed using the Salesforce SOQL developer console. Further evidence supporting that Splunk sees this latest event is that Splunk will update the Query Start to be the date of the most recent object's LastModifiedDate. Therefore the object is seen by Splunk, but just doesn't seem to get indexed.

Furthermore, you can force Splunk to index this or any object by editing two or more objects in Salesforce in-between the time period of the interval. For example if you have the interval set to query Salesforce every 10 minutes and you edit Object A, B and then C in this time period then Splunk will index Object A and B, but there will be no event generated for C. However, Splunk will use the LastModifiedDate of Object C for future queries. You can find further evidence that Splunk is missing an event by searching "index=_internal events collected" with INFO logging configured in the Salesforce app and you will see "file=cce_plugin_sfdc.py, func_name=log... Events Collect n-1".

I suspect this is a simple fix by editing one of the python functions in the app so that Splunk indexes the latest event, but I haven't quite figured out a fix. Has anyone else experienced this issue or know of a workaround?

1 Solution

augustallen4
Explorer

Found a fix. Requires a simple edit to a function in Splunk_TA_Salesforce\bin\splunk_ta_salesforce\cloudconnectlib\plugin\cce_plugin_sfdc.py.

The function is filter_records_before_date and all I did was comment out the if statement and un-indent return events. I've tested this and it properly indexes all events now; revised function looks like this:

@cce_pipeline_plugin
def filter_records_before_date(is_greater_than, events, field, value):
"""Filter all events which the value of field is equal given value."""
#if not _to_bool(is_greater_than):
return events
#return [event for event in events if event.get(field, '') != value]

View solution in original post

augustallen4
Explorer

Found a fix. Requires a simple edit to a function in Splunk_TA_Salesforce\bin\splunk_ta_salesforce\cloudconnectlib\plugin\cce_plugin_sfdc.py.

The function is filter_records_before_date and all I did was comment out the if statement and un-indent return events. I've tested this and it properly indexes all events now; revised function looks like this:

@cce_pipeline_plugin
def filter_records_before_date(is_greater_than, events, field, value):
"""Filter all events which the value of field is equal given value."""
#if not _to_bool(is_greater_than):
return events
#return [event for event in events if event.get(field, '') != value]

smpramod
Engager

This is not worked when i comment the values and got below error. I marked below stanza_name with xxxx(it is custom object)

2019-08-16 11:59:01,773 +0000 log_level=WARNING, pid=8889, tid=MainThread, file=plugin.py, func_name=import_plugin_file, code_line_no=68 | [stanza_name=xxxxxxxx] Failed to load module cce_plugin_sfdc, Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_salesforce/bin/splunk_ta_salesforce/cloudconnectlib/core/plugin.py", line 65, in import_plugin_file
importlib.import_module(module_name)
File "/opt/splunk/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/opt/splunk/etc/apps/Splunk_TA_salesforce/bin/splunk_ta_salesforce/cloudconnectlib/plugin/cce_plugin_sfdc.py", line 37
return events
^
IndentationError: unexpected indent

0 Karma

natalienguyenme
Explorer

Try using spaces instead of tabs. It worked for me.

0 Karma

guarisma
Contributor

This is a serious bug, customers are not capturing all events in Splunk.
We need a new version of this Add-on.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...