Salesforce data is a type of application data that provides insight into the usage and adoption of the Salesforce platform. The data can also be used for security and troubleshooting purposes. The data is gathered by Splunk via modular inputs that poll the Salesforce APIs at a configurable interval.
Salesforce data can be used to search and report on user activity such as logon analytics, review browsing history by user to tell which features are being adopted. For security monitoring, you can also track behaviors for unauthorized access and for data loss prevention.
How can I use this data?
When your Splunk deployment is ingesting Salesforce data, you can use the data to achieve the following objectives:
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Salesforce resources.
If your deployment is not already ingesting Salesforce, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is sfdc.
The source type is sfdc:*.
The supported input types are modular inputs.
In addition, you will need the Splunk Add-on for Salesforce. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Salesforce, and configure Splunk.
The best way to estimate sizing is to send the data to Splunk and use the monitoring console to get ingest sizing by index or sourcetype. Data ingest will vary widely, but an estimated baseline is 100/MB per day per item.
The first step in validating the logs is to run a search and confirm that the index is getting data in the proper time frame and that the source types and sources are as expected. Further validation is done by inspecting the events and making sure the needed fields are seen. A search similar to the following is a good starting point.
| tstats values(sourcetype) WHERE index=sfdc group by index