All Apps and Add-ons

Why does Salesforce eventtype=sfdc-login-history not show user details in Splunk Cloud version?

kalpesh173
Engager

Hi All,

I have configured Splunk App for Salesforce and Splunk Addon for Salesforce in Splunk Cloud and all dashboards are working fine except Logon Analytics dashboard. I have checked that UserType dropdown is not showing any data. Also, have checked that event sfdc-login-history shows login history data but user details are missing i.e. UserType, Firstname, Lastname etc.

The same Salesforce Org all data is visible in Splunk Enterprise version, but we need to implement Cloud version.

Splunk App for Salesforce version is 3.0
Splunk Addon for Salesforce version is 2.0

Is there any issue with lookups in Splunk app for Salesforce?

Labels (1)

jamieramos
New Member

Hi,

The below solution worked for me. To get around this, instead of having to delete the inputs and index (which is much more difficult in a larger scale environment), I updated the inputs to order by login date instead of modified date and removed modified date from the object fields. 

I am now receiving sfdc:user data.

0 Karma

rrustong
Explorer

I realize this is an old question and you have probably found a fix, but this just happened to me as well, so I wanted to share what I found for any other users who stumble on this in the future.

The problem I found is that all of the inputs have a default of 90 days worth of history, and look at the last modified date for the objects. In the case of user accounts, very few of our user accounts had been modified in the past 90 days so almost no user data was populated in the sfdc:user sourcetype. That sourcetype is used to populate the user lookup, which is then used by many of the dashboards to convert a user ID into actual named users.

The fix for me was to disable all of the SFDC inputs, delete the sfdc index and start all of the inputs over with much longer initial dates. In my case I was able to go back to when our SFDC instance was created because it is a relatively small environment, but that guarantees that I have user data for all users in our SFDC instance.

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...