Salesforce Event Log Interval

carlhussey · ‎09-15-2020

We have our Splunk instance connected to an API user per the specs of the Splunk App for Salesforce.

One of the things we are trying to get more insight into is the event log so we can create alerts, dashboards, etc. in order to be proactive.

From what I can tell, even though we set up the Splunk sfdc:logfile to be on an interval of 300 seconds, I never end up getting data in Splunk until after 24 hours. This means I can't search for anything that happened unless it was 24 hours ago.

Looking at some Salesforce documentation, it appears that there is hourly log files, as well as the 24 hour.

Our Splunk admin sent me this screenshot showing me that the interval was set on that source type, although anytime I try and search that index using "today", I get no events.

We are wanting to configure some alerts based on events that are logged, but we are unable to do so with such old data.

Any idea of how we can increase the interval on this log file, outside of what appears to be set at 300 seconds?

thambisetty · ‎09-15-2020

if the log files are generated hourly or once in 24 hours then there is no use of running Splunk input for every 300 seconds or 30 seconds. Input will run but it will fetch 0 results as there are no results provided by API.

I think, you need to focus more on API rather than looking into Splunk TA.

————————————
If this helps, give a like below.

Salesforce Event Log Interval

configuration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?