I've configured our Add-on for Salesforce to collect Event Log data as per the add-on documentation. It's using the same account as the object inputs (which are working fine) and the account definitely has API access to event log data.
However in the event log collector log file I'm seeing an error caused by an incomplete URL:
HTTPError: HTTP Error Only absolute URIs are allowed. uri = /services/data/v42.0/sobjects/EventLogFile/<file_id>/LogFile
it seems as though the endpoint is not being prepended to the URL, even though it's defined in the account that is being used.
I looked through the scripted inputs to see exactly how this flow works and found where the request object is built (Splunk_TA_salesforce/bin/input_module_sfdc_event_log.py (line 31):
Are you still encountering this issue? Removing the protocol header "http://" from the endpoint field worked for me, e.g. "endpoint = nycpizza.my.salesforce.com" in .../local/splunk_ta_salesforce_account.conf. I don't believe I specified an instance URL either, but I did find that in the case of establishing connectivity with the newer SaaS/Force platform, the add-on worked for me only when I supplied the instanced URL (x.my.salesforce.com) in the endpoint field, i.e. not whatever virtual LB being pointed to by x.lightning.force.com.