Splunk for Enterprise Documentation (Salesforce)
Download and install Splunk for Enterprise from the website depending on your system specifications
On installing and choosing Splunk to run as localhost, open it in the default browser and login using the default credentials.
Click on the “Plus symbol” under Search and Reporting, which is placed under the Apps Tab
Search for Splunk app for Salesforce, and install it.
Open Splunk App for Salesforce. If it’s the first time it’s being opened, you will be prompted with the connection page for salesforce. Fill in the necessary details and save.
Restart Splunk (Under Server Controls - http://localhost:8000/en-US/manager/splunk-app-sfdc/control)
Open the application, and go to settings. Click on Data inputs under the Data tab.
Optional: enable only if you want Splunk to store event logs) Go to “Salesforce Event Log” and enable EventLog. (http://localhost:8000/en-US/manager/splunk-app-sfdc/data/inputs/sfdc_event_log)
Go to “Salesforce Object” and enable the required objects under it. If a new object is needed to be indexed by Splunk, it can be registered by clicking the new button and following the required steps. (http://localhost:8000/en-US/manager/splunk-app-sfdc/data/inputs/sfdc_object).
Go to settings and choose “Access Controls”, and choose Roles. (http://localhost:8000/en-US/manager/splunk-app-sfdc/authorization/roles)
Choose the admin role and goto “Indexes searched by Default”.
Default set of indexes: Splunk Enterprise comes with a number of preconfigured indexes, including:
main: This is the default Splunk Enterprise index. All processed data is stored here unless otherwise specified.
_internal: Stores Splunk Enterprise internal logs and processing metrics.
_audit: Contains events related to the file system change monitor, auditing, and all user search history. If enables audit logs will start showing up under search.
Fishbucket: For Splunk engineers trying to decipher file input issues. It contains seek pointers and CRCs for the files you are indexing, so Splunk can tell if it has read them already.
_introspection: This is intended to collect information about your systems running Splunk and give you more data to help diagnose Splunk performance issues.
Setting up a new salesforce object in Splunk
Select “Salesforce Object” under data inputs in settings for a new entry.
Provide a name for the input.
Paste the SOQL query you want to index. (without order by clause)
Choose the field you want the data to be ordered by.
Select the time you want to start querying data from. The default is 90 days.
Select the number of records you want Splunk to index in each query.
Select the interval you want Splunk to poll. Ex – Every 60 secs
Let the hostname and Source Type be the default values.
Choose the destination index to sfdc.
Setting up Alerts for Events
Alerts for an event can be set in Splunk in 4 different ways. (1) It can be just added to triggered alerts. (2) Can be sent in form of emails (3) Can be triggered in the form of running a script. ( Note: The script needs to be saved in the Splunk bin directory under the Scripts Folder) (4) Lastly can be triggered in the form of a webhook.
To set up alerts for email, the Mail server configuration to send the email needs to be set up with the respective SMTP server along with the port details, username and password.
On searching for the required events from Splunk, the search can be saved and can be used to alert in a pre-defined timeline for any new events. To save a search as an alert, Click the “Save As” Button and choose Alert.
Give a suitable title to the alert, and choose whether the alert should run at a scheduled time or should run real-time.
Choose the appropriate Trigger Conditions required for your search.
Choose the appropriate trigger actions. Multiple trigger actions is allowed for a single event.
If the fields in the results need to be sent in the alert, the field keyword needs to be explicitly used in the search formula containing the fields to be sent in the email alert.
The email alert can call this field using the token $result.<fieldname>$
Other email tokens that can be used are - http://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/EmailNotificationTokens