Skip to main content
Topics#Data ManagementAristotelis Savas's Question
Aristotelis Savas (CarMax) asked in #Data Management
Apr 2, 2021, 8:06 PM

Are CronJobDetail, CronTrigger objects exposed to Splunk integration?

Problem I'm trying to solve for: Want to get some alerting on the Scheduled Jobs in Salesforce, particularly things like (in semi-pseudocode):

  1. CronTrigger.State IN ('DELETED','ERROR','BLOCKED','PAUSED','PAUSED_BLOCKED')
  2. CronTrigger.EndTime != NULL (If someone's making a job through the UI with an end date, I want to know about it)
  3. CronJobDetail.Name LIKE '%Friendly%Job%Name%' AND (NOW() - CronTrigger.PreviousFireTime > [some interval]) ... basically, if my prod team has created a scheduled job and I have a name for it, and they say it should run hourly, I want to alert if it doesn't.

Easy stuff to SOQL query on, but spent a while going down the rabbit hole on the best way to alert on this.

  1. Started looking at Splunk but since I’m not an admin on that platform I had some time to wait while my request was processed. Kept looking around.
  2. Tableau? Yeah I can make a dataflow but that data is as old as your last dataflow run. Made a dash using a live query to get around that and I can alert on the widgets, but Tableau / Einstein isn't really an alerting platform.
  3. Coding something that copies this all to a friendlier object is overkill.
  4. Settled on Splunk

My internal Splunk team already tried ingesting these two objects into sources for me and they're getting a 400 error. Most of what I'm reading about a 400 response in Splunk is that's tied to a malformed query, but his query looks okay to me. Field names look right. Then I realized I'd seen this before and it was because the Splunk API integration account didn't have access to the custom object I was Splunking.

 

CronTrigger and CronJobDetail are protected / sysobjects. I can't modify security on them (nor would I). So here is my question:

  1. Can I Splunk these objects? I've not seen anyone on Google doing it.
  2. If not, is there a better way to get an alert on these conditions? Email is fine, I can integrate that with a ticketing system.

I did find one article on a Splunk forum about 400 errors on Salesforce object queries with timebound predicates (adding an 

AND interval='Daily' or AND interval='Hourly'), I passed that on to the Splunk guys but in the meantime knowing what I know about Splunk and security on objects I'm wondering if this is even possible.

 

 
2 answers
  1. Aristotelis Savas (CarMax)
    Apr 5, 2021, 4:34 PM
    Wouldn't running a batch / async job on schedule just to query a table that in theory should never have more than 100 objects and spot a few alerting conditions be overkill? I'm not actually transforming anything here, and the volume is low. Plus, running my monitoring through the scheduler would result in a catch-22 ... I wouldn't get alerts if jobs get hung in paused, blocked, or paused_blocked longer than expected ......... because it would be one of them.
Write an answer...
0/9000