All Apps and Add-ons

Okta Add-on for Splunk not keeping up

New Member

I have the Okta Identity Cloud Add-on for Splunk installed on a heavy forwarder. The maximum log batch size is configured at 500,000, and every other limit setting (under add-on settings) is configured at the max. For inputs, it is configured to bring in log metrics, since I am interested in authentication API requests. I ran into some issues where logs would be about an hour or two behind in the afternoon of each day, since that is when the most amount of activity on our platform occurs. I ended up having to increase the typing queue and indexing queue on this heavy forwarder (in the server.conf file) in order to fix the queueing issues this box was running into. I still notice that in the afternoon it will fall behind 15 minutes to a half hour, and then by the time morning rolls around, it is caught up.
I checked the system logs in the Okta admin portal, and I am not hitting any rate limits, or even warnings when this occurs. I am wondering if I have hit the limit of either the API, or of the add-on itself. The box that runs this heavy forwarder only has about 25% of the memory used, and 25% of the CPU in use.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...