All Apps and Add-ons

Splunk Add-On for Okta: How to troubleshoot error "Failed to get stanza Okta"?

bashpd
Engager

In a cloud instance of Splunk, I've tried to set up the Splunk Add-On for Okta by following the documentation (I've set up 1 data input for user metrics). When running a sourcetype=okta:imsearch, no results are returned, and when running the index=_internal source=*ta_okta* troubleshooting search, the following error messages are what stand out.

Failed to get stanza Okta - Users by data_input manager.

Failed to setup config for okta TA: Failed to get stanza Okta - Users by data_input manager.

What is the reason(s) for these errors, and what are the possible solutions? Again, this is a cloud instance.

Thank you.

0 Karma
1 Solution

rwang_splunk
Splunk Employee
Splunk Employee

Hi bashpd

  1. What version of Splunk add-on for Okta you are using?
  2. How did you configure you data input? via UI or inputs.conf? Try using UI to configure the inputs again and eliminate the space in your input name. let me know if it still doesn't work.

View solution in original post

rwang_splunk
Splunk Employee
Splunk Employee

Hi bashpd

  1. What version of Splunk add-on for Okta you are using?
  2. How did you configure you data input? via UI or inputs.conf? Try using UI to configure the inputs again and eliminate the space in your input name. let me know if it still doesn't work.

bashpd
Engager
  1. v1.1.0
  2. I've been configuring the data inputs via the UI. I've done what you've suggested with just user for the name, and this was for the preset user metrics data input. Running sourcetype=okta:im found no results, but running the troubleshooting search, index=_internal source=*ta_okta* returned no errors.

I then tried adding event metrics data input using simply events as the name, ran the troubleshooting search once more, and that seems to have fixed it. Returned back with 10k records. Thank you!

Now I've got to set up the dashboard to show all the Okta related content. You wouldn't happen to have any insight into how to go about that, or better yet, directions to some documentation for creating a dashboard with predefined panels. Simply creating a new dashboard, and adding the Okta predefined panels doesn't seem to pull any data. Getting no results found.

EDIT:

I didn't realise I had put the inputs into a non-default index called okta. Running index="okta" sourcetypey=okta:im returned results. Now I'll figure out how to adjust the panels to reference the Okta index, and all should be right in the world.

EDIT EDIT:

Got it now. Needed to convert the prebuilt panels into inline search panel then adjust the search string by amending it with index="okta" at the start of the line, and it's now pulling in data.

Thanks a lot!

rwang_splunk
Splunk Employee
Splunk Employee

I'm glad it's working.
Renee

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...