Skip to content

Set up the Splunk Add-on for Salesforce

The Splunk Add-on for Salesforce provides two ways for authenticating accounts: basic authentication and OAuth 2.0 authentication.

For basic authentication, you can configure the Splunk Add-on for Salesforce either through Splunk Web or by making changes directly in configuration files. Due to the complexity of the setup, configuring the add-on through Splunk Web is a best practice. For OAuth, you must configure the add-on through Splunk Web.

Set up basic authentication using Splunk Web

To set up the Splunk Add-on for Salesforce using Splunk Web, complete the following steps:

  1. Go to the Splunk Add-on for Salesforce. You can do it in the following ways:
    • Click the name of this add-on on the left navigation banner on the Splunk Web home page
    • Go to Manage Apps and click Launch App in the row for the Splunk Add-on for Salesforce.
  2. Click the Configuration tab to set up Salesforce credentials, as well as an optional proxy and logging level.
  3. Go to the Account tab.
  4. Click Add.
  5. Add a unique Account Name.
  6. Enter endpoint for your Salesforce environment without http/https scheme the default one is:
    • Production: login.salesforce.com
    • Sandbox: test.salesforce.com
    • Other: Add a custom endpoint for example: my-dev-ed.my.salesforce.com.
  7. Select the Salesforce API Version to configure your account with. Default API Version is 62.0.
  8. Select Basic Authentication for the Auth Type.
  9. Enter your Salesforce Username, Password, and Security Token. You do not need to add a token if your instance is in the trusted IP range.

Security token is used in combination with a password to access Salesforce through the API. The purpose of this token is to improve the security between Salesforce users and Salesforce.com. For more information on Security token, refer to Security and the API document.

Set up OAuth authentication using Splunk Web

  1. Go to the Splunk Add-on for Salesforce. You can do it in the following ways:
    • click the name of this add-on on the left navigation banner on the Splunk Web home page.
    • go to Manage Apps and click Launch App in the row for the Splunk Add-on for Salesforce. See Set up OAuth App in the Salesforce in this manual for more information.
  2. Click the Configuration tab to set up Salesforce credentials, as well as an optional proxy and logging level.
  3. Go to the Account tab.
  4. Click Add.
  5. Add a unique Account Name.
  6. Enter endpoint for your Salesforce environment without http/https scheme the default one is:
    • Production: login.salesforce.com
    • Sandbox: test.salesforce.com
    • Other: Add a custom endpoint for example: my-dev-ed.my.salesforce.com.
  7. Select the Salesforce API Version to configure your account with. Default API Version is 62.0.
  8. Select OAuth 2.0 Client Credentials as the Auth Type.
  9. Enter your Salesforce Client Id and Client Secret. The Client ID is called “Consumer Key” in your Salesforce managed app. Client Secret is called “Consumer Secret” in your Salesforce managed app.
  10. Click Add.

Splunk add-on for Salesforce uses Client Credentials code flow when add-on is configured to use OAuth 2.0 Client Credentials.

Set up a proxy and logging level

If you are using a proxy, provide the following information on the Configuration tab:

  1. Check Enable Proxy.
  2. Specify the Host, Port, Username, and Password values.
  3. Check the DNS resolution box if you want to perform DNS resolution through your proxy.
  4. Select the type of proxy to use in the Proxy Type field.
  5. If you want to change the Logging level, select a new one.
  6. Click Save.

Checkpoint management

If the Splunk Add-on for Splunkbase versions 2.0.0 and above, find an existing checkpoint for a given input. The Use existing data input prompt is displayed. - If you select Yes, the add-on continues collecting data from that checkpoint. - If you select No, the add-on resets data collection, and data collection starts from your specified query start date. - If you select No and there is not a specified start date, data collection starts from the default start date.

Set up basic authentication using configuration files

You can configure your add-on by providing the settings in the local splunk_ta_salesforce_settings.conf and splunk_ta_salesforce_account.conf file.

  • splunk_ta_salesforce_settings.conf includes the proxy settings, logging level settings of the Splunk add-on for Salesforce.
  • splunk_ta_salesforce_account.conf includes Salesforce account settings of the Splunk add-on for Salesforce.

Follow the steps to configure the Splunk Add-on for Salesforce using configuration files:

  1. Create a file named splunk_ta_salesforce_settings.conf in the local folder of the add-on $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local .

  2. Copy the following stanzas and provide the necessary values in the local splunk_ta_salesforce_settings.conf file:

    [proxy]
proxy_enabled =  [0|1]
proxy_type = [http|socks5]
proxy_url = <string>
proxy_port = <integer>
proxy_username = <string>
proxy_password = <string>
proxy_rdns = [0|1]

[logging]
loglevel = [DEBUG|INFO|WARNING|ERROR|CRITICAL]

  3. Create a file named splunk_ta_salesforce_account.conf in the local folder of the add-on $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local.

  4. Copy the following stanza and provide the necessary values in the local splunk_ta_salesforce_account.conf file:

    [account_name] // The account name you create in this add-on
endpoint = <string> // URL of the Salesforce endpoint without http or https scheme. For example, my-dev-ed.my.salesforce.com
auth_method = basic
username = <string> // The Salesforce username you want to use
password = <string> // The password of the Salesforce username
token = <string> // (Optional) The security token is needed if your Splunk instance is outside the Salesforce trusted IP range
sfdc_api_version = <number> // Salesforce API version (42.0, 43.0, 44.0, 45.0, 46.0, 47.0, 48.0, 49.0, 50.0, 51.0, 52.0, 53.0, 54.0, 55.0, 56.0, 57.0, 58.0, 59.0, 60.0, 61.0, 62.0)

  5. After updating the local `splunk_ta_salesforce_settings.conf’, users must navigate to the Configuration tab of the Splunk Add-on for Salesforce to encrypt the secrets on .conf files.

Set up OAuth 2.0 Client Credentials flow using configuration files

You can configure your add-on by providing the settings in the local splunk_ta_salesforce_settings.conf and splunk_ta_salesforce_account.conf file.

  • splunk_ta_salesforce_settings.conf includes the proxy settings, logging level settings of the Splunk add-on for Salesforce.
  • splunk_ta_salesforce_account.conf includes Salesforce account settings of the Splunk add-on for Salesforce.

Follow the steps to configure the Splunk Add-on for Salesforce using configuration files: (For additional info about OAuth 2.0 configuration in Salesforce check Set up OAuth App in the Salesforce) 1. Create a file named splunk_ta_salesforce_settings.conf in the local folder of the add-on $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local . 2. Copy the following stanzas and provide the necessary values in the local splunk_ta_salesforce_settings.conf file:

    [proxy]
    proxy_enabled =  [0|1]
    proxy_type = [http|socks5]
    proxy_url = <string>
    proxy_port = <integer>
    proxy_username = <string>
    proxy_password = <string>
    proxy_rdns = [0|1]

    [logging]
    loglevel = [DEBUG|INFO|WARNING|ERROR|CRITICAL]

  1. Create a file named splunk_ta_salesforce_account.conf in the local folder of the add-on $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce/local.

  2. Copy the following stanza and provide the necessary values in the local splunk_ta_salesforce_account.conf file:

    [account_name] // The account name you create in this add-on
endpoint = <string> // URL of the Salesforce endpoint without http or https scheme. For example, my-dev-ed.my.salesforce.com
auth_type = [basic|oauth]
username = <string> // The Salesforce user name; use for basic
password = <string> // The Salesforce user password; use for basic
token = <string> // The Salesforce user personal token; use for basic
client_id = <string> // The Salesforce Client ID; use for oauth
client_secret = <string> // The Salesforce Client Secret; use for oauth
sfdc_api_version = <number> // Salesforce API version (42.0, 43.0, 44.0, 45.0, 46.0, 47.0, 48.0, 49.0, 50.0, 51.0, 52.0, 53.0, 54.0, 55.0, 56.0, 57.0, 58.0, 59.0, 60.0, 61.0, 62.0)

  3. After updating the local `splunk_ta_salesforce_settings.conf’, users must navigate to the Configuration tab of the Splunk Add-on for Salesforce to encrypt the secrets on .conf files.

Add SSL certificate to trust lists

If you encounter a SSLHandshakeError:

  • The SSL certificate entry might be missing from your certificate store.
  • The Salesforce server is configured over a self-signed certificate and isn’t present in the library’s certificate store. Follow the steps to resolve the issue:
  1. Download the root CA certificate used in your Salesforce deployment.
  2. Copy the contents of the new certificate.
  3. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_salesforce.
  4. Create a new .pem file and add the content of the new certificate. Append the new certificate content if the file is already present.
  5. Open the local/splunk_ta_salesforce_settings.conf file in a text editor, create a new one if not present.

  6. Add the ca_certs_path parameter value as below:

    [general]
ca_certs_path=/opt/splunk/etc/apps/Splunk_TA_salesforce/custom_ca_certs.pem # <absolute path to the <certs_file>.pem file>

  7. Save your changes.

  8. Restart your Splunk instance.

A certificate of all the Salesforce servers configured in this add-on must be present under the & lt;certs_file & gt;.pem file if the ca_certs_path parameter is being used, which is mentioned in the above steps.