Troubleshoot the Splunk Add-on for Okta Identity Cloud
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Below troubleshooting is specific to this add-on
Monitor the troubleshooting dashboard
Starting in version 2.1.0, the add-on provides a monitoring dashboard that lets you quickly spot possible issues and metrics on ingested events:
The panels are visible on the landing page of the TA under the Monitoring Dashboard tab:
Currently, three panels are supported:
- Add-on version - This can be used to easily identify the Add-on version.
- Events ingested by sourcetype - This helps to get the count of events ingested for a specific sourcetype under the filtered time range.
- Errors in the add-on - This helps to get to see the errors associated with the Add-on under the filtered time range.
Note: if you change the dashboard page (Edit button) after the add-on is installed, the changes go to local folder, and you will see your version of the dashboard even if you update an add-on.
Monitor the Okta System Logs Streaming Dashboard
This dashboard provides a time-series graph of the Okta System Logs events ingested in Splunk based on hostname and source name. It enables users to determine when Okta System logs coming in via Log Streaming are missed and not ingested in their Splunk environment. After figuring out the time range, the user can utilize the modular input and specify the Start and End dates between which they want to collect their missing data. The time-series graph will be populated based on the "published" time of the System log event which is also the _time of the event. The user can select multiple hosts and sources, based on which the search will populate the results in the graph.
Missing Data
Inputs troubleshooting steps:
If the input is created successfully and you do not see the data in Splunk, Make sure the index uses an input available in Splunk and the API Token is valid and up to date. You can run this query to check your input data collection logs and troubleshoot the issue:
index=_internal source=splunk_ta_okta_identity_cloud_input-<input_name>.log
If the proxy is enabled, make sure it is working properly, if the proxy is wrong you may not see data in Splunk. You can run the following query to find this information in Splunk:
index=_internal ProxyError
Data loss after Upgrading from the Splunk Add-on for Okta Identity Cloud v1.0.1 to later version
When upgrading the add-on you must disable inputs. If data ingestion is in progress, disabling inputs can lead to data loss in Splunk. Once the add-on is successfully upgraded and inputs are enabled, the data collection will continue without any issues.
Account not configured in case of OAuth2 mechanism
If you cannot save the account after providing all the details in the Account configuration tab, please verify that the Okta Web App created has all the necessary scopes required to collect the data.
To collect system logs, okta.logs.read
scope should be granted to the web app.
To collect groups data, okta.groups.read
scope should be granted to the web app.
To collect users data, okta.users.read
scope should be granted to the web app.
To collect app data, okta.apps.read
scope should be granted to the web app.
Bad Request in popup window while using OAuth2 mechnism in account configuration
If you see a 400 Bad Request
in the popup window, then make sure that you have added the given Redirect URI value (while configuring the Account in Splunk add-on) in the Okta Web App's Sign-in Redirect URL section.
Data Collection stopped in the add-on
If the data collection uses the OAuth2 mechanism, then the reason for data collection getting stopped can be:
- "Expired Refresh Token" - To solve this, search
index=_internal "Error occurred while regenerating the access token"
or directly search the respective input log file. If this search shows results for that particular input, then reconfigure the account in the add-on that is mentioned in the respective input log file. - "Incorrect API Scopes" - To solve this, search
index=_internal "Failure caused due to incorrect Okta Web App Scopes"
or directly search the respective input log file. If this search shows results for that particular input, then reconfigure the account in the add-on that is mentioned in the respective input log file.
For further troubleshooting, check the input log files
Configure the Splunk Add-on for Okta Identity Cloud | Setting up Okta System Log Streaming in Splunk |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!