All Apps and Add-ons

Splunk Add-on for Salesforce incorrect URL for event log

Path Finder


I've configured our Add-on for Salesforce to collect Event Log data as per the add-on documentation. It's using the same account as the object inputs (which are working fine) and the account definitely has API access to event log data.

However in the event log collector log file I'm seeing an error caused by an incomplete URL:

HTTPError: HTTP Error Only absolute URIs are allowed. uri = /services/data/v42.0/sobjects/EventLogFile/<file_id>/LogFile

it seems as though the endpoint is not being prepended to the URL, even though it's defined in the account that is being used.

I looked through the scripted inputs to see exactly how this flow works and found where the request object is built (Splunk_TA_salesforce/bin/ (line 31):

request = {
        'url': '{{server_url}}/services/data/{{API_VERSION}}/sobjects'
        'method': 'GET',
        'headers': header,

{{server_url}} is set here (line 252):

# Block for OAuth flow
if task_config.get("account").get("auth_type") and 
    task_config.get("account").get("auth_type") == _OAUTHFLOW:
        set_values = (
            ('set_var', ['{{account.access_token}}'], 'session_id'),
            ('set_var', ['{{account.instance_url}}'], 'server_url')

I could see it is getting the server URL from the account configuration which is as follows ($SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/splunk_ta_salesforce_account.conf):

access_token = ******
auth_type = oauth
client_id = <client_id>
client_secret = ******
endpoint = <endpoint_url>
instance_url = https://<endpoint_url>
refresh_token = ******

Does anyone know what's going on here? I can't seem to find any reason that the script wouldn't be able to see the account configuration.

Any help would be greatly appreciated.



Hi Pat,

Are you still encountering this issue? Removing the protocol header "http://" from the endpoint field worked for me, e.g. "endpoint =" in .../local/splunk_ta_salesforce_account.conf. I don't believe I specified an instance URL either, but I did find that in the case of establishing connectivity with the newer SaaS/Force platform, the add-on worked for me only when I supplied the instanced URL ( in the endpoint field, i.e. not whatever virtual LB being pointed to by


0 Karma

Path Finder

we are having the same issue but only with production salesforce api for eventlog input. It works for salesforce Sandbox environments.

this is an example of non prod log (where it works), func_name=_retry_send_request_if_needed, code_line_no=181 | [stanza_name=Salesforce_Eventlog] Invoking request to [] using [GET] method

and this is the prod log (where it is skipping the entire url)
HTTPError: HTTP Error Only absolute URIs are allowed. uri = /services/data/v42.0/sobjects/EventLogFile/0AT2B00000005xpWAA/LogFile

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...