I would like to add the SetupAuditTrail object as an input in the Splunk Add-on for Salesforce, but I have been unsuccessful, compared to other objects like LoginHistory, which is pulling fine. Is there a limitation or something I am doing incorrect in my input configuration?
Not Getting Pulled
Getting Pulled
Did you get the SetUpAuditTrail logs to Splunk? I am facing the same issue
Hello,
Your Object Fields and Order By fields are wrong, check this Question
Object Fields should be = Id,Action,Section,CreatedDate,CreatedById,Display,DelegateUser,ResponsibleNamespacePrefix
Orther By field should be = CreatedDate
But then I discovered that it's pulling the first 90 days of events and then it stops, I think there's a bug in the code since the logs seems to be trying to pool from the checkpoint but never finds anything new anymore.
@bullcitydave,
May be try reducing the interval,Since its 7200 the data will be available after 2hrs. Try reducing interval for testing and once confirmed set back to normal.