I would like to add the SetupAuditTrail object as an input in the Splunk Add-on for Salesforce, but I have been unsuccessful, compared to other objects like LoginHistory, which is pulling fine. Is there a limitation or something I am doing incorrect in my input configuration?
Not Getting Pulled
Your Object Fields and Order By fields are wrong, check this Question
Object Fields should be = Id,Action,Section,CreatedDate,CreatedById,Display,DelegateUser,ResponsibleNamespacePrefix
Orther By field should be = CreatedDate
But then I discovered that it's pulling the first 90 days of events and then it stops, I think there's a bug in the code since the logs seems to be trying to pool from the checkpoint but never finds anything new anymore.