Please can someone confirm the Splunk Add-on for Okta version 1.2 works with Splunk 6.5.0 Enterprise? I have used the Chrome extension 'postman' to validate my token and also curl from the Splunk server all of which returned results. Yet I cannot get the add-on to work after having tried the configuration files and web methods it just doesn't work. The connection is being proxied and I can see the outbound calls to the API yet it fails to connect?
The output in ta_okta.log is:
2016-11-01 10:51:00,603 ERROR pid=3580 tid=MainThread file=okta_rest_client.py:request:91 | Failed to connect https://mycompany.okta.com/api/v1/events?filter=published+ge+%222016-10-02T17%3A11%3A18.000Z%22&limi..., reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_okta/bin/okta_rest_client.py", line 80, in request
headers=headers)
File "/opt/splunk/etc/apps/Splunk_TA_okta/bin/splunktalib/httplib2/__init__.py", line 1593, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_okta/bin/splunktalib/httplib2/__init__.py", line 1335, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_okta/bin/splunktalib/httplib2/__init__.py", line 1257, in _conn_request
conn.connect()
File "/opt/splunk/etc/apps/Splunk_TA_okta/bin/splunktalib/httplib2/__init__.py", line 1018, in connect
sock.connect((self.host, self.port))
File "/opt/splunk/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
timeout: timed out
Confirmation or help would be useful?
According to our test, the Okta TA 1.2.0 can works with Splunk 6.5.0.
For the timeout issue, the root cause might be the timeout 60 seconds is too short in your env. We will try to adapt the timeout dynamically in the future to handle case like this.
Per the start_date, the search and filter on Okta side may take more time if the volume is too big, so that the response is delayed. If you want to collect all the data (since 30 days ago), you can try to set a longer timeout time. Thanks!
According to our test, the Okta TA 1.2.0 can works with Splunk 6.5.0.
For the timeout issue, the root cause might be the timeout 60 seconds is too short in your env. We will try to adapt the timeout dynamically in the future to handle case like this.
Per the start_date, the search and filter on Okta side may take more time if the volume is too big, so that the response is delayed. If you want to collect all the data (since 30 days ago), you can try to set a longer timeout time. Thanks!
Ok, so it looks like a data volume issue... as I did not set the start_date variable the app decides to set the date for 30days. My organisation uses Okta a lot and I mean a lot therefore the connection would time out before the add-on could download the logs. BTW I am doing event log collection.
The app now works for me by doing the following actions:
1) local/inputs.conf - define start_date to only a few days 30 might be too many to download. This can also be set under the data inputs on setup via the web gui.
2) bin/okta_rest_client.py - I increased the time out by changing the time out value in the line:
return build_http_connection(self.config, timeout=60)
to :
return build_http_connection(self.config, timeout=120)
Bit of a pain if I am honest but I hope this helps some one. Once you have the TA working the App is pretty awesome.