Skip to main content

Salesforce

  • Updated

Salesforce data is a type of application data that provides insight into the usage and adoption of the Salesforce platform. The data can also be used for security and troubleshooting purposes. The data is gathered by Splunk via modular inputs that poll the Salesforce APIs at a configurable interval. 

Data visibility 

Salesforce data can be used to search and report on user activity such as logon analytics, review browsing history by user to tell which features are being adopted. For security monitoring, you can also track behaviors for unauthorized access and for data loss prevention. 

How can I use this data?

When your Splunk deployment is ingesting Salesforce data, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Salesforce resources.

Data ingestion

If your deployment is not already ingesting Salesforce, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is sfdc

The source type is sfdc:*

The supported input types are modular inputs.

In addition, you will need the Splunk Add-on for Salesforce. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Salesforce, and configure Splunk. 

Sizing estimate

The best way to estimate sizing is to send the data to Splunk and use the monitoring console to get ingest sizing by index or sourcetype. Data ingest will vary widely, but an estimated baseline is 100/MB per day per item. 

Validation

The first step in validating the logs is to run a search and confirm that the index is getting data in the proper time frame and that the source types and sources are as expected. Further validation is done by inspecting the events and making sure the needed fields are seen. A search similar to the following is a good starting point. 

| tstats values(sourcetype) WHERE index=sfdc group by index

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.