I found that the ‘SavedSearches.conf’ file is using 15 digit id and splunk search being case insensitive so it links multiple users to same eventlog.
search=index=* eventtype=sfdc_user IsActive=true | sort 0 - _time | dedup Id | rename Id as UserId | fields + UserId,FirstName,City,Country,IsActive,LastLoginDate,LastName,MobilePhone,Name,PostalCode,State,Username,UserRoleId,UserType,Email,CompanyName,ProfileId,Profile.PermissionsApiEnabled,Profile.PermissionsModifyAllData,Profile.PermissionsViewSetup | fields - _* | eval USER_ID=substr(UserId, 1, len(UserId)-3) | outputlookup lookup_sfdc_usernames.csv
I want to know why Salesforce App in splunk uses 15 digit id. If we use 18 digit id then it will solve the issue.
... View more