The Splunk App logs written to $SPLUNK_HOME/etc/var/log/scwss/scwss-poll.log showed error: 

2022-01-18 18:05:21,096 ERROR 4156 - 2022-01-18 18:05:21 status=error, msg='Server failed to fulfill the request', code='429'

Near Real-Time Log SyncAPI for Cloud SWG (formerly known as WSS)

Splunk App for Cloud SWG (formerly known as WSS)

The SyncAPI for Cloud SWG (formerly known as WSS) delays an aggressive client with a 429 too-many-requests response code that informs the client not to send another request until waiting for an additional retry-after number of seconds.

An overly aggressive client is defined as one that is polling for any new data in the current hour more often than is reasonable.

The HTTP header provides a Retry-After field to indicate how many seconds the client pauses until sending the next request. The default throttle is expected to be around five (5) minutes.

Broadcom recommends that customers who create multiple copies of their cloud service archive data use a single download client and multiplex the data after it is downloaded. Thus, the Web Security Service imposes the throttle across all clients of the same customer regardless of client endpoint or API Key.

If you MUST have multiple clients polling data, You must synchronize any connections to the WSS API such that the connections occur at least 5 minutes apart from each other.

• Splunk App download page and the WSS App for Splunk documentation for more details.
• Near Real-Time Sync API documentation for assistance with proper implementation.