In a cloud instance of Splunk, I've tried to set up the Splunk Add-On for Okta by following the documentation (I've set up 1 data input for user metrics). When running a
sourcetype=okta:imsearch, no results are returned, and when running the
index=_internal source=*ta_okta* troubleshooting search, the following error messages are what stand out.
Failed to get stanza Okta - Users by data_input manager. Failed to setup config for okta TA: Failed to get stanza Okta - Users by data_input manager.
What is the reason(s) for these errors, and what are the possible solutions? Again, this is a cloud instance.
userfor the name, and this was for the preset user metrics data input. Running
sourcetype=okta:imfound no results, but running the troubleshooting search,
index=_internal source=*ta_okta*returned no errors.
I then tried adding event metrics data input using simply
events as the name, ran the troubleshooting search once more, and that seems to have fixed it. Returned back with 10k records. Thank you!
Now I've got to set up the dashboard to show all the Okta related content. You wouldn't happen to have any insight into how to go about that, or better yet, directions to some documentation for creating a dashboard with predefined panels. Simply creating a new dashboard, and adding the Okta predefined panels doesn't seem to pull any data. Getting
no results found.
I didn't realise I had put the inputs into a non-default index called
index="okta" sourcetypey=okta:im returned results. Now I'll figure out how to adjust the panels to reference the Okta index, and all should be right in the world.
Got it now. Needed to convert the prebuilt panels into
inline search panel then adjust the search string by amending it with
index="okta" at the start of the line, and it's now pulling in data.
Thanks a lot!