Hi All,

We are unable to get Salesforce event log into Splunk.  Getting 400 error code. PFB the error message details.

Also note that, we are able to query the data and fetch the results by the same user through Salesforce, it is just that when we connect through Splunk it doesn't work.

Here is an error message:

2020-07-07 07:47:13,452 +0000 log_level=ERROR, pid=32523, tid=MainThread, file=engine_v2.py, func_name=start, code_line_no=57 | [stanza_name=event] CloudConnectEngine encountered exception Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_salesforce/bin/splunk_ta_salesforce/cloudconnectlib/core/engine_v2.py", line 52, in start for temp in result: File "/opt/splunk/etc/apps/Splunk_TA_salesforce/bin/splunk_ta_salesforce/cloudconnectlib/core/job.py", line 88, in run contexts = list(self._running_task.perform(self._context) or ()) File "/opt/splunk/etc/apps/Splunk_TA_salesforce/bin/splunk_ta_salesforce/cloudconnectlib/core/task.py", line 288, in perform raise CCESplitError cloudconnectlib.core.exceptions.CCESplitError

2020-07-07 07:47:13,451 +0000 log_level=ERROR, pid=32523, tid=MainThread, file=task.py, func_name=_send_request, code_line_no=504 | [stanza_name=event] The response status=400 for request which url=https://xxxyyyy.salesforce.com/services/data/v48.0/query?q=SELECT%20Id%2CEventType%2CLogDate%2CCreatedDate%20FROM%20EventLogFile%20WHERE%20CreatedDate%3E%3D2020-06-07T00%3A00%3A00.000z%20AND%20Interval%3D%27Hourly%27%20ORDER%20BY%20CreatedDate%20LIMIT%201000 and method=GET.