Source and event types for the Splunk Add-on for Okta Identity Cloud
The Splunk Add-on for Okta Identity Cloud has the following sourcetypes. The lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_okta_identity_cloud/lookups.
The Splunk Add-on for Okta Identity Cloud provides the following source types. The add-on assigns different source types based on the Metric selected from the input.
| Source type | Description | Event Type | CIM data models |
|---|---|---|---|
| OktaIM2:log | System log events coming from Okta Rest API endpoints
Refer to "CIM compatibility of Okta System Logs" for detailed information of Okta System Logs |
okta_identity_cloud_alerts | Alerts |
| okta_identity_cloud_authentication | Authentication | ||
| okta_identity_cloud_change_all_changes | Change:All_Changes | ||
| okta_identity_cloud_change_account_management | Change:Account_Management | ||
| okta_identity_cloud_network_traffic | Network Traffic | ||
| OktaIM2:app | Okta App events, Not recommended until really needed | okta_app | Inventory:User |
| OktaIM2:user | Okta user events | okta_user | Inventory:User |
| OktaIM2:group | Okta group events | N/A | N/A |
| OktaIM2:groupUser | Users associated to any group | N/A | N/A |
| OktaIM2:appUser | Users associated to any app | okta_app_user | Change:Account_Management |
Last modified on 03 September, 2024
| Setting up Okta System Log Streaming in Splunk | Lookups for the Splunk Add-on for Okta Identity Cloud |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!