Okta Identity Cloud Add-On issue with default sear...

jgeorges · ‎11-10-2020

I have installed the Okta Identity Cloud Add-On into Splunk Cloud. I have setup individual indexes for each of the log types and accounts that I am ingesting.

I can see that the Okta logs are being ingested correctly but none of the default searches work.

By default they do a search on "sourcetype" however this returns no results:

sourcetype="oktaim2:log" event_type="okta_event_authentication" (host="*")

If I manually add the index to the search, then it works:

index="okta-*" sourcetype="oktaim2:log" event_type="okta_event_authentication" (host="*")

I can't find anywhere to set the default index. If I do a plain search for sourcetype="oktaim2:log" it also returns no results.

Is this an error when Splunk have installed the add-on, or a configuration I have missed, or do I just have to manually adjust all of the views ?

Any thoughts appreciated.

asridhara · ‎06-30-2021

As an Admin user, go to Settings > roles > select a role you want to enable default indexes for > Indexes > select default for okta index. Save .. Waaalah

Okta Identity Cloud Add-On issue with default searches

configuration

search

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?