Hi, We have Okta Splunk Add-on installed to fetch logs from Okta cloud. Currently we are getting rate limit warnings with the Apps (api/v1/apps) endpoint since our organization is having more than 23,000+ users and 150+ apps on-boarded to okta (all users are assigned to all apps). Currently the add-on is fetching logs from App endpoint once a day, App limit is set to 200, Throttling Threshold Pct as 20 and Maximum log batch size as 60,000 as default in configuration. We are receiving around 200+ warning alerts everyday during the time logs are fetched.
We tried changing the values of App limit from 200 to 85 but that increased our warnings count so we rolled back. We also tried to increase Throttling Threshold Pct to 40 from 20 but there was no improvement. Can you please help us in providing the possible solution to fix these warnings.
is TA collecting logs after receiving warning messages also? is you worry about only warning messages?
yes the add-on is collecting logs even after warnings. Yes we are worried about warnings as that may lead to violations in future because we are planning to onboard more and more apps to Okta.
@nv @logloganathan Which Add On are you using
If you are using Splunk Add-on for Okta , it was last updated in 2016 and is no longer Splunk Supported as Okta has created its own app and continues to update it. Refer to the following blog https://www.splunk.com/en_us/blog/tips-and-tricks/end-of-availability-splunk-built-apps-and-add-ons.... and try out Okta Identity Cloud Add-on for Splunk