All Apps and Add-ons

Splunk Add-on for Salesforce incorrect URL for event log

packland
Path Finder

Hi,

I've configured our Add-on for Salesforce to collect Event Log data as per the add-on documentation. It's using the same account as the object inputs (which are working fine) and the account definitely has API access to event log data.

However in the event log collector log file I'm seeing an error caused by an incomplete URL:

HTTPError: HTTP Error Only absolute URIs are allowed. uri = /services/data/v42.0/sobjects/EventLogFile/<file_id>/LogFile

it seems as though the endpoint is not being prepended to the URL, even though it's defined in the account that is being used.

I looked through the scripted inputs to see exactly how this flow works and found where the request object is built (Splunk_TA_salesforce/bin/input_module_sfdc_event_log.py (line 31):

request = {
        'url': '{{server_url}}/services/data/{{API_VERSION}}/sobjects'
               '/EventLogFile/{{event_log_file.Id}}/LogFile',
        'method': 'GET',
        'headers': header,
    }

{{server_url}} is set here (line 252):

# Block for OAuth flow
if task_config.get("account").get("auth_type") and 
    task_config.get("account").get("auth_type") == _OAUTHFLOW:
        set_values = (
            ('set_var', ['{{account.access_token}}'], 'session_id'),
            ('set_var', ['{{account.instance_url}}'], 'server_url')
        )

I could see it is getting the server URL from the account configuration which is as follows ($SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local/splunk_ta_salesforce_account.conf):

[svc_prod_salesforce]
access_token = ******
auth_type = oauth
client_id = <client_id>
client_secret = ******
endpoint = <endpoint_url>
instance_url = https://<endpoint_url>
refresh_token = ******

Does anyone know what's going on here? I can't seem to find any reason that the script wouldn't be able to see the account configuration.

Any help would be greatly appreciated.

Thanks,
Pat

peterkimas
Engager

Hi Pat,

Are you still encountering this issue? Removing the protocol header "http://" from the endpoint field worked for me, e.g. "endpoint = nycpizza.my.salesforce.com" in .../local/splunk_ta_salesforce_account.conf. I don't believe I specified an instance URL either, but I did find that in the case of establishing connectivity with the newer SaaS/Force platform, the add-on worked for me only when I supplied the instanced URL (x.my.salesforce.com) in the endpoint field, i.e. not whatever virtual LB being pointed to by x.lightning.force.com.

Best,
Peter

0 Karma

usup_rajbahak
Path Finder

we are having the same issue but only with production salesforce api for eventlog input. It works for salesforce Sandbox environments.

this is an example of non prod log (where it works)
file=http.py, func_name=_retry_send_request_if_needed, code_line_no=181 | [stanza_name=Salesforce_Eventlog] Invoking request to [https://xxxxxxxxxxxxxxx.my.salesforce.com/services/data/v42.0/sobjects/EventLogFile/0AT0i0000005bXSG...] using [GET] method

and this is the prod log (where it is skipping the entire url)
HTTPError: HTTP Error Only absolute URIs are allowed. uri = /services/data/v42.0/sobjects/EventLogFile/0AT2B00000005xpWAA/LogFile

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!