Splunk® Supported Add-ons

Splunk Add-on for Okta Identity Cloud

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF


Configure the Splunk Add-on for Okta Identity Cloud

  1. On Splunk Web, go to the Splunk Add-on for Okta Identity Cloud, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Okta Identity Cloud.
  2. Click the Configuration tab.
  3. Click the Add-on Settings tab. This page allows you to configure additional add-on settings applied to all the organizations and inputs.


Field Description Defaults
User Limit Number of items to collect per request, for the Users data type. (endpoint: /api/v1/users) 200 (20-200)
Group Limit Number of items to collect per request, for the Group data type. (endpoint: /api/v1/groups) 300 (20-10000)
App Limit Number of items to collect per request, for the App data type. (endpoint: /api/v1/apps) 200 (20-200)
Log Limit Number of items to collect per request, for the Log data type. (endpoint: /api/v1/logs) 1000 (10-1000)
Rate Limit Percent (float) Define the hard upper limit to throttle the request rate. As Okta imposes limits to concurrent requests for the same account, we recommend keeping this value at 50% 50.0
Dynamic Rate Throttling When Enabled, uses an adaptive algorithm to throttle the request rate, sending requests at dynamically recalculated intervals, aiming to keep the request rate below the configured threshold. When disabled, it sends a burst of requests (until it reaches the Rate Limit Pct threshold defined above) and then waits up to 60 seconds, until more requests are available to consume. Enable is the recommended setting. Enabled


(Optional) Change logging level

  1. On Splunk Web, go to the Splunk Add-on for Okta Identity Cloud, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Okta Identity Cloud.
  2. Click the Configuration tab.
  3. Click the Logging tab.
  4. Select a new logging level from the drop-down menu.
  5. Click Save to save your configurations.

(Optional) Proxy setup

  1. On Splunk Web, go to the Splunk Add-on for Okta Identity Cloud, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Okta Identity Cloud.
  2. Click the Configuration tab.
  3. Click the Proxy tab.
  4. Check Enable and fill in the required fields.

Only HTTPS proxy are supported.

Configure inputs for the Splunk Add-on for Okta Identity Cloud

To configure inputs for the Splunk Add-on for Okta Identity Cloud , complete these steps:

  1. On Splunk Web, go to the Splunk Add-on for Okta Identity Cloud , either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Okta Identity Cloud.
  2. Click the Inputs tab.
  3. Click Create new input.
  4. Fill in the required fields:
Field Description
Name A name for the new input.
Interval The input polling interval, in seconds. For the Apps metric, the field is set to 86400 to reduce the duplication of events. Users can still configure the interval value according to their needs.
Index The index in which the Splunk platform stores events from Okta. The default is main.
Metric The data type you wish to collect. The current options are: Logs, Users, Groups and Apps.
Start Date Date to start the data collection. The default start date is 7 days ago in UTC. Editing the input by modifying the start date can result in data duplication.
Okta Account Your Okta account, configured in the previous steps.
Additional Settings Checkbox. It is visible only when you select Logs in the Metric field. Check this option only if required for specific use cases.
Logs Delay Is visible only if "Additional Settings" will be checked. Do not change its value unless absolutely necessary. It can range between 0-300. Default value is 30
Collect URIs Collect URIs is visible only if "Additional Settings" will be checked for the Apps metric. By default, the parameter is checked and redirect URIs will be ingested in the event. When the parameter is unchecked, the long redirect URIs will not be ingested. The URI fields that will be removed from the event are settings.oauthClient.redirect_uris, settings.oauthClient.post_logout_redirect_uris, settings.oauthClient.logo_uri, and settings.oauthClient.client_uri.
Use existing data input This field will be visible only when Editing an Input to modify the data collection Start Date. By default, "Yes" is selected, and the Start Date field cannot be edited. Select "No" to edit the start date.
End Date Is visible only if "Additional Settings" is checked for "Logs" Metric. Provide the date in a specific date-time format. This value will be considered the date up to which the user wants to collect the data.

The add-on will collect the logs data until "Current UTC Time - Logs Delay" in an interval to avoid data loss. This is incorporated to address Okta API Limitations due to System Delays

Upgrading the Splunk Add-on for Okta Identity Cloud to v1.1.0

  • The lookups are migrated to KVStore lookups. Run the saved searches to populate the data in KVStore lookups.
  • Upgrade to the most recent version of the add-on after disabling the existing inputs to prevent data loss.

Utilizing Macros in saved searches

  • The saved searches currently present in the add-on searches the events in the default index of the Splunk machine.
  • Modify the definition of the macro okta_indexes to run the saved search on a custom index. See the following steps:
    • Navigate to Settings > All Configurations
    • Search okta_indexes and click on Okta_indexes in the Name column.
    • Update the definition with the custom index. For example, index=custom_index.
  • Now, the saved searches would search the events in index=custom_index.

Working with Savedsearches

  • There are 6 savedsearches provided by the add-on, which earlier had a schedule to run all together at 12.00 AM everyday.
  • From add-on release version 2.2.0 onwards, the savedsearches are enhanced and would run at a time difference of 10 minutes starting from 11.00PM, 11.10PM, 11.20PM, 11.30PM, 11.40PM and 11.50PM
  • This will resolve the search concurrency issue the previous schedule may cause
  • Along with this, the savedsearches will also populate a few more fields such as app_name, user_name, group_name, and app_label fields wherever applicable in the KVStore lookups and also this enriched data will be visible in the field extractions.

Utilizing Macros in Okta System Log Streaming Dashboard

  • The search query to populate the dashboard runs based on the macro's definition. It searches the default index currently.
  • Modify the definition of the macro okta_log_streaming_indexes to run the search query on a custom index. See the following steps:
    • Navigate to Settings > All Configurations
    • Search okta_log_streaming_indexes and click on okta_log_streaming_indexes in the Name column.
    • Update the definition with the custom index. For example, index=custom_index.
  • Now, the search query would search the events in index=custom_index.
Last modified on 30 April, 2024
PREVIOUS
Configure credentials for Splunk Add-on for Okta Identity Cloud 		  NEXT
Troubleshoot the Splunk Add-on for Okta Identity Cloud

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters