I am trying to use the Okta App for Splunk with the latest Splunk release. Installed test instance this week.
When I restart Splunk and trace Okta, I always get the following errors
WARN DateParserVerbose - Accepted time (Mon Feb 03 01:40:27 2014) is suspiciously far away from the previous event's time (Tue Feb 04 05:16:47 2014), but still accepted because it was extracted by the same pattern. Context: source::C:\Program Files\Splunk/etc/apps/okta/bin/okta.py|host::swglog01|exec|0
2014-02-19 18:11:54.383000 app=okta event_id=okta.api.user.start severity=informational subject="Requesting User Object with limit 1000" Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\okta\bin\oktausr.py", line 54, in
In my Okta index there is no data 😞
Any idea what I am missing?
I configured the app but i am receiving only below in the logs:
2015-02-09 21:03:56.167978 app=okta event_id=okta.api.query.complete severity=informational subject="Closing with timestamp 2015-02-20T12:00:00.000Z"
2015-02-09 21:03:55.756511 app=okta event_id=okta.api.query.start severity=informational subject="Requesting API at offset 2015-02-20T12:00:00.000Z"
There is no other data and all dashboards are not working.. Here is the config
auth = SSWS
endpoint = /api/v1/events
limit = 1000
startdate = 2015-02-20T12:00:00.000Z
endpoint = /api/v1/users
limit = 2000
Scripts and buildlookup are enabled.
Any Insight on this?
Finally it seems to be an issue with the browser I used - when using Internet Explorer all is fine!!
Chrome and Firefox raise an error...
Furthermore we had to look through all scripts as they were not interpreted correctly on Windows...
Hi Florian - I'm having the same issue.
What's weird is that the latest release of 1.1.0 claims to have fixed this bug:
Corrected a key mismatch causing events to log in raw JSON
Makes me think the wrong script was uploaded?
I emailed the author directly, no response yet. I'll let you know!