All Apps and Add-ons

Splunk App and Add-on for Okta: "Most Active Users" panel broken with incorrect sourcetype

Path Finder

I just set up this add-on and app and wanted to let you know that the "Most Active Users" panel in the "Okta Login Analytics" dashboard was broken.

I believe this is the fix, at least it worked for me.

The search has this:

sourcetype="okta:events"

Should be this:

sourcetype="okta:im"

0 Karma
1 Solution

Path Finder

Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")

<title>Most Active Users</title>
        <search>
          <query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success")  sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login  | sort -count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

View solution in original post

Path Finder

Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")

<title>Most Active Users</title>
        <search>
          <query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success")  sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login  | sort -count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>

View solution in original post

Community Manager
Community Manager

Hi @itradeclayton

Thanks for sharing your fix with the community. Would you actually be able to post the suggested fix as an answer below? I can accept it so it resolves the question and shows up as having an accepted answer.

Thanks!

0 Karma

Path Finder

sure thing... 🙂

0 Karma

Community Manager
Community Manager

Awesome, thank you! Answer now accepted and upvoted 🙂

0 Karma