All Apps and Add-ons

Okta Add-on for Splunk not keeping up

New Member

I have the Okta Identity Cloud Add-on for Splunk installed on a heavy forwarder. The maximum log batch size is configured at 500,000, and every other limit setting (under add-on settings) is configured at the max. For inputs, it is configured to bring in log metrics, since I am interested in authentication API requests. I ran into some issues where logs would be about an hour or two behind in the afternoon of each day, since that is when the most amount of activity on our platform occurs. I ended up having to increase the typing queue and indexing queue on this heavy forwarder (in the server.conf file) in order to fix the queueing issues this box was running into. I still notice that in the afternoon it will fall behind 15 minutes to a half hour, and then by the time morning rolls around, it is caught up.
I checked the system logs in the Okta admin portal, and I am not hitting any rate limits, or even warnings when this occurs. I am wondering if I have hit the limit of either the API, or of the add-on itself. The box that runs this heavy forwarder only has about 25% of the memory used, and 25% of the CPU in use.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...