Okta Identity Cloud Add-On issue with default sear...

jgeorges · ‎11-10-2020

I have installed the Okta Identity Cloud Add-On into Splunk Cloud. I have setup individual indexes for each of the log types and accounts that I am ingesting.

I can see that the Okta logs are being ingested correctly but none of the default searches work.

By default they do a search on "sourcetype" however this returns no results:

sourcetype="oktaim2:log" event_type="okta_event_authentication" (host="*")

If I manually add the index to the search, then it works:

index="okta-*" sourcetype="oktaim2:log" event_type="okta_event_authentication" (host="*")

I can't find anywhere to set the default index. If I do a plain search for sourcetype="oktaim2:log" it also returns no results.

Is this an error when Splunk have installed the add-on, or a configuration I have missed, or do I just have to manually adjust all of the views ?

Any thoughts appreciated.

asridhara · ‎06-30-2021

As an Admin user, go to Settings > roles > select a role you want to enable default indexes for > Indexes > select default for okta index. Save .. Waaalah

Okta Identity Cloud Add-On issue with default searches

configuration

search

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?