Splunk® Supported Add-ons

Splunk Add-on for Okta

Download manual as PDF

Download topic as PDF

Search commands in the Splunk Add-on for Okta

The Splunk Add-on for Okta allows Splunk platform administrators or users with the admin_all_objects capability to use search commands to add group members, remove group members, and deactivate users in your Okta instance.

You must configure the Okta server to update with the commands in the add-on setup page before you can use the commands.

The following table describes each command and the action it performs. Enter the commands in the Splunk Search & Reporting app search bar.

Command Parameters
(Required)
Parameters (Optional) Description
oktaaddmember userid/username

groupid/groupname

max Add user with userid/username to group with groupid/groupname.

The parameter of the userid/username or groupid/groupname can be specific or tokenized.

oktaremovemember userid/username

groupid/groupname

max Remove user with userid/username from group with groupid/groupname.

The parameter of the userid/username or groupid/groupname can be specific or tokenized.

oktadeactivateuser userid/username max Deactivate user with userid/username.

The parameter of the userid/username can be specific or tokenized.

If userid and username are both provided, the userid is used first. Likewise, when both groupid and groupname are provided, the groupid is used first.

Username and groupname can only be used if the data for the User metric and Group metric are collected. The custom command first searches for the corresponding userid/groupid in the indexed data.

If the user or group parameters are tokenized, you can set the max parameter to retrieve the top max events to apply the commands. You can set the max parameter to 0 if you want to retrieve all events.

Examples

The following search shows an example of using the oktaaddmember command to add a specific user to a group:

sourcetype=okta:im source=okta:event |oktaaddmember userid=00U0000000000000006 groupid=00g15jqj1614qXptB1dB

The following search shows an example of using the oktadeactivateuser command to remove tokenized users from a specific group:

sourcetype=okta:im source=okta:event |oktaremovemember userid=$user_id$ groupid="00g15jqj161LQX0tB1d8"

The following search shows an example of using the oktadeactivateuser command to deactivate three tokenized users:

sourcetype=okta:im source=okta:user |oktadeactivateuser username=$profile.login$ max=3

PREVIOUS
Workflow actions in the Splunk Add-on for Okta
  NEXT
Alert actions in the Splunk Add-on for Okta

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters