All Apps and Add-ons

Okta App not working


I am trying to use the Okta App for Splunk with the latest Splunk release. Installed test instance this week.

When I restart Splunk and trace Okta, I always get the following errors

WARN DateParserVerbose - Accepted time (Mon Feb 03 01:40:27 2014) is suspiciously far away from the previous event's time (Tue Feb 04 05:16:47 2014), but still accepted because it was extracted by the same pattern. Context: source::C:\Program Files\Splunk/etc/apps/okta/bin/|host::swglog01|exec|0

2014-02-19 18:11:54.383000 app=okta event_id=okta.api.user.start severity=informational subject="Requesting User Object with limit 1000" Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\okta\bin\", line 54, in user[i][0] = evt['id'] KeyError: 'id'

In my Okta index there is no data 😞
Any idea what I am missing?


Splunk Employee
Splunk Employee

Hi Florian,

I released a new version of this yesterday -- can you please let me know if this resolves your issue? Thanks!

0 Karma



I configured the app but i am receiving only below in the logs:

2015-02-09 21:03:56.167978 app=okta event_id=okta.api.query.complete severity=informational subject="Closing with timestamp 2015-02-20T12:00:00.000Z"
2015-02-09 21:03:55.756511 app=okta event_id=okta.api.query.start severity=informational subject="Requesting API at offset 2015-02-20T12:00:00.000Z"

There is no other data and all dashboards are not working.. Here is the config


uri =
auth = SSWS


endpoint = /api/v1/events
limit = 1000
startdate = 2015-02-20T12:00:00.000Z


endpoint = /api/v1/users
limit = 2000

Scripts and buildlookup are enabled.

Any Insight on this?


0 Karma


URI and API token is also configured but somehow missed above while editing.

0 Karma


Finally it seems to be an issue with the browser I used - when using Internet Explorer all is fine!!
Chrome and Firefox raise an error...

Furthermore we had to look through all scripts as they were not interpreted correctly on Windows...

0 Karma

New Member

Hi Florian - I'm having the same issue.

What's weird is that the latest release of 1.1.0 claims to have fixed this bug:
Corrected a key mismatch causing events to log in raw JSON

Makes me think the wrong script was uploaded?

I emailed the author directly, no response yet. I'll let you know!

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...