Re: Salesforce lookup table error

tv00638481 · ‎01-27-2024

Hi ,
We have onboarded Salesforce in our environment. However when we run the queries, we could notice below errors are getting continuously across the instance whenever any query is being run and also showing on all the dashboards.

[idx-i- xxxx.splunkcloud.com,idx-i-04xxxx.xxxx.splunkcloud.com,idx-i-075xxx.xxx.splunkcloud.com.idx-i-
Oaxxx.xxxx.splunkcloud.com,idx-i-0be.xxxx splunkcloud.com,sh-i-026xxx.xxxx.splunkcloud.com] Could not load lookup=LOOKUP-SFDC-USER_NAME

rbudini_splunk · ‎01-30-2024

The reason you are getting this message is because the indexers do not have the LOOKUP-SFDC-USER_NAME

The following Knowledge Article explains what is happening.

To get off this message I would suggest you open a support case and the Splunk Cloud engineer will be able to address this for you.

Robertino

tv00638481 · ‎03-01-2024

got it thank you.

tscroggins · ‎01-27-2024

Hi @tv00638481,

Make sure Splunk Add-on for Salesforce is installed on the search head and verify the lookup_sfdc_usernames KV store lookup definition is shared globally and accessible to everyone who needs to use Salesforce App for Splunk.

Also make sure the Lookup - USER_ID to USER_NAME saved search is enabled and scheduled. This is the search that populates the lookup. To improve performance, modify the saved search to user your Salesforce index instead of index=*. Splunk normally uses macros to specify indexes, but that was overlooked in this add-on.

tv00638481 · ‎01-27-2024

Hi
Thank you for the response.

On SH, we are not getting this error.

We getting these errors on ES and the app is available there and it's accessible globally. We are running query specific to Salesforce index only.

tscroggins · ‎01-27-2024

If you're using Splunk Cloud Classic Experience, the add-on needs to be installed on your ES SH as well.

tv00638481 · ‎01-28-2024

Addon is also installed.

tscroggins · ‎01-28-2024

What happens you run the following command from <your_stack_url>/app/splunk-app-sfdc/search:

| inputlookup lookup_sfdc_usernames

Do you see any results?

Do you have any duplicate definitions of LOOKUP-SFDC-USER_NAME under Settings > Lookups > Automatic Lookups with App: All and Owner: Any?

When you search against sourcetype=sfdc:loginhistory, do you still see errors? You can view search logs from Job > Inspect Job. In search.log, search for LOOKUP-SFDC-USER_NAME to see additional context. To view logs from indexers, add noop to your search:

index=your_index sourcetype=sfdc:loginhistory
| noop remote_log_fetch=*

tv00638481 · ‎01-31-2024

Hi,

I could get the results when I run the command. My observation about the lookup file between SH and ES on SH is , the .CSV extension is missing.once added it's running.

I'm trying understand the below query to implement.

Firstly, the description provided in the usecase is not clearly understood . I got this usecase from the splunk SF content search.

Anyone has idea about this query.

https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Protecting_a_Salesforce_cloud...

ROWS_PROCESSED>0 EVENT_TYPE=API OR EVENT_TYPE=BulkAPI OR EVENT_TYPE=RestAPI
|lookup lookup_sfdc_usernames USER_ID
|bucket _time span=1d 
|stats sum(ROWS_PROCESSED) AS rows BY _time Username
|stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'rows',null))) AS rows avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'rows',null))) AS stdev BY Username
|eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)
|where 'rows' > upperBound AND num_data_samples >=7

Salesforce lookup table error

troubleshooting

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability