I just set up this add-on and app and wanted to let you know that the "Most Active Users" panel in the "Okta Login Analytics" dashboard was broken.
I believe this is the fix, at least it worked for me.
The search has this:
sourcetype="okta:events"
Should be this:
sourcetype="okta:im"
Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")
<title>Most Active Users</title>
<search>
<query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success") sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login | sort -count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
Edit your Most Active Users search to use the right sourcetype (sourcetype="okta:im" instead of sourcetype="okta:events")
<title>Most Active Users</title>
<search>
<query>eventtype=okta-events $User$ $Client$ (action.objectType="core.user_auth.login_success" OR action.objectType="core.user_auth.login_failed" OR action.objectType="core.user_auth.logout_success" OR action.objectType="core.user_auth.account_locked" OR action.objectType="core.user_auth.mfa_bypass_attempted" OR action.objectType="core.user.sms.message_sent.verify" OR action.objectType="core.user_auth.radius.login.failed" OR action.objectType="core.user_auth.radius.logout.success") sourcetype="okta:im"| eval AppInstance=case(NOT isnull(AppInstance1), AppInstance1, NOT isnull(AppInstance2), AppInstance2) | rename actors{}.login as login | chart count sparkline(count, 6h) as trend by login | sort -count</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
Hi @itradeclayton
Thanks for sharing your fix with the community. Would you actually be able to post the suggested fix as an answer below? I can accept it so it resolves the question and shows up as having an accepted answer.
Thanks!
sure thing... 🙂
Awesome, thank you! Answer now accepted and upvoted 🙂