All Apps and Add-ons

Okta Alert Actions (oktaGroupMemberChange)

brettwilliams
Path Finder

This doesn't seem to work...  we've followed the instructions provided with the TA, but we're getting errors output from the scripts to the effect of basic tokens missing.  Also reaching out to Okta support directly.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=setup_util.py:log_error:110 | Credential account with username <our okta> can not be found

 

Yeah, we have this configured.

 

 

2020-07-10 15:33:13,487 DEBUG pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="_okta_client Invoked with a url of: https://<our okta>/api/v1/groups/<group>/users/<user>" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

OK, seems normal to me.  It attempts the API call, but what does cim_actions have to do with it?  Yes, we have CIM installed, and the add-on is good for all versions.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Error: 'NoneType' object has no attribute '__getitem__'. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved" action_status="failure"

 

NoneType has no attribute.  Even more vague.

 

 

2020-07-10 15:33:14,370 INFO pid=21898 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Invoking modular action" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409580_68741" rid="1" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

Then it goes ahead and tries to call the modular action anyway.

 

 

07-10-2020 15:39:23.653 -0400 ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 4., search='sendalert oktaGroupMemberChange results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784/per_result_alert/tmp_1.csv.gz" results_link="https://<our search head>/app/TA-Okta_Identity_Cloud_for_Splunk/search?q=%7Cloadjob%20scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now"'

 

Error code 4...  nothing more than that.  The part of the script where that error is thrown is related to gathering parameters.  I suspect that maybe this is implemented, but never tested or confirmed to work.  But I could be wrong...

Labels (2)
Tags (2)
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...