All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App and Add-on for Okta: "Most Active Users" panel broken with incorrect sourcetype

itradeclayton
Path Finder
‎03-26-2018 09:19 PM

I just set up this add-on and app and wanted to let you know that the "Most Active Users" panel in the "Okta Login Analytics" dashboard was broken.

I believe this is the fix, at least it worked for me.

The search has this:

sourcetype="okta:events"

Should be this:

sourcetype="okta:im"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

itradeclayton
Path Finder
‎03-27-2018 05:02 PM

Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")

<title>Most Active Users</title>
        <search>
          <query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success")  sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login  | sort -count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

View solution in original post

Reply
Solved! Jump to solution
Solution

itradeclayton
Path Finder
‎03-27-2018 05:02 PM

Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")

<title>Most Active Users</title>
        <search>
          <query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success")  sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login  | sort -count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
Reply
Solved! Jump to solution

ppablo
Retired
‎03-27-2018 04:01 PM

Hi @itradeclayton

Thanks for sharing your fix with the community. Would you actually be able to post the suggested fix as an answer below? I can accept it so it resolves the question and shows up as having an accepted answer.

Thanks!

0 Karma
Reply
Solved! Jump to solution

itradeclayton
Path Finder
‎03-27-2018 04:57 PM

sure thing... 🙂

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎03-29-2018 01:01 PM

Awesome, thank you! Answer now accepted and upvoted 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...