Requirements
- A Salesforce account with real time event streaming enabled
- For Username + Password authentication, the username, password and security token
- For Connected App authentication, a Connected App with a pem certificate
- An Environment Activegate
Salesforce Account
- Under
Setup
-> Event Manager
enable Streaming Data
for the events you want to capture.
- Obtain the credentials needed for the extension to connect to Salesforce.
- For Username + Password authentication, check the User and Password Authentication section of this documentation
- For Connected App authentication, check the Connected App Authentication section of this documentation

Dynatrace
Create a Custom Application to receive the data:
- Navigate to
Digital Experiences
-> Custom Applications
-> Create custom application
.
- Give it a name and an icon

- Under the application settings, navigate to
Instrumentation Wizard
and save the Application ID for later

Activate the extension:
- Navigate to the Dynatrace Hub and activate the extension.
- Create a monitoring configuration on the extension page.
- Select an Activegate group.
- One of these servers will need to access the salesforce API, which is on the internet.
- The login URLs are:
https://login.salesforce.com
or https://test.salesforce.com
- The Pub Sub endpoints are:
api.pubsub.salesforce.com:7443
or api.deu.pubsub.salesforce.com:7443
- A proxy can be configured later if necessary.
The parameters for the monitoring configuration are:
Parameter | Description |
---|
Endpoint name | A friendly name to identify the endpoint |
Login URL | Chose from Production or Sandbox |
Pub/Sub URL | Chose from Global Endpoint or Europe (Frankfurt) Endpoint |
Reporting Mode | Only OpenKit is supported at this time |
Custom Application ID | The Dynatrace Custom Application ID for the app you created before |
Authentication type | Choose from Username and Password or Connected App, see specific documentation below |
Events filtering | Choose which real time events you'd like to send to Dynatrace, by default all are enabled |
Usernames Blocklist | Optional list of Usernames to ignore, use this to block automation/api users from reporting |
Proxy | Optional proxy, in case the Activegate cannot connect to the Salesforce URLs |
The data is sent to the Frontend Application that you created:

You can drill down to the Sessions:

And to the individual properties, by clicking on the User Action
> Perform waterfall analysis
:
To use these properties in User Sessions Query Language:
- Under the application settings, navigate to
Session and user action properties
- Create a property. Note: the Name must match exactly the property name as documented in the Salesforce events.
Example: capturing the number of rows for a report:

Querying the property:
SELECT useraction.name, SUM(longProperties.rowsprocessed) FROM useraction WHERE useraction.name STARTSWITH "Report" GROUP BY useraction.name

The extension uses the Salesforce Pub/Sub API to listen for Event Streaming Events.
These events are captured and sent as User Actions with all their respective properties sent as Action Properties. The event properties can be seen by
clicking on an User Action
> Perform waterfall analysis
A detailed description of every event and their properties can be found on
the Salesforce documentation.
The current events being captured are:
In this mode the extension connects as a Connected App, this is the recommended method of authentication and no user password is required.
Technically, the app implements the OAuth 2.0 JWT Bearer Flow
Dynatrace will ask for:
- The Consumer Key of the Connected App
- The Private Key of the Connected App
- The Subject of the JWT token, this is the username of a user that is part of a Profile in the Connected App
Requirements
openssl
(for generating the certificate, not needed if you already have a certificate and private key)
Note, on Windows if you have git
installed you should also have a copy of openssl.
It would be under a directory like C:\Program Files\Git\mingw64\bin
depending on your installation.
You can read more about the OAuth 2.0 JWT Bearer
Flow here
Certificate
The connected app must have a certificate.
We later authenticate with Salesforce using this certificate's private key
This command generates a certificate and a private key:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
The cert.pem
file will be later added to the Connected App.
The key.pem
file will be used by Dynatrace to authenticate with Salesforce.
Create the Connected App
In Salesforce Lightning:
- Go to Setup > Apps > App Manager
- Select New Connected App

Give the app a name and add the contact email. Under API (Enable OAuth Settings)
:
- Check Enable OAuth Settings
- The Callback URL is not used, you can input
http://localhost
- Check Use digital signatures
Upload the cert.pem
file generated above under Use digital signatures
.
Under Selected OAuth Scopes, Add these scopes:
- Manage use data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
Leave all other settings as default and click Save.
The Connected App screen should look like this (with your name, email and certificate):

OAuth policy
Now set up the OAuth Policy permitted users.
On the connected app page, select Manage, then Edit Policies.

Under OAuth Policies select Admin approved users are pre-authorized.
Click Save.

Approved users
Identify users that can use the app.
This is done by adding Profiles to the Application Profile Assignment list.
One the connected app page, under Profiles, click Manage Profiles.
Add profiles that can use the connected app.
Note: Later, any username from these profiles can be used as the Subject
when configuring the extension.
Note that the profile needs the permissions:
General User Permissions
View Real-Time Event Monitoring Data
Administrative Permissions
Customize Application
View All Data
Please check the needed permissions
documentation here
