There is a single Splunk instance that is using the SyncAPI function to request logs from more than one Web Security Service (WSS) tenant (account). The Splunk instance has been able to pull logs from one WSS tenant, but not the other(s). Reception of API requests for both WSS instances with corresponding credentials is confirmed.

Web Security Service 

A Splunk instance places the same token in the API requests regardless of the WSS tenant from which it is requesting the logs. The requests for the tenant from which logs are not being retrieved get rejected because they have the same token as the requests for logs from the tenant from which logs are being retrieved, but with different credentials.

Possible solutions would be to write custom scripts to request the logs from Splunk (without using the WSS plugin) or have them requested from a different Splunk instance.

See documentation about the SyncAPI function for further information on its format: Web Security Service: Near Real-Time Log Sync Brief