Hi, Use the below add-on, https://splunkbase.splunk.com/app/3682/ Thanks, Sai ... View more

OKTA doesn't support custom sourcetypes. Please use default sourcetype (okta:im) if you are using a different one. Try running a curl to API Key/token on your Heavy forwarder where OKTA add-on is installed and make sure you are seeing response without any error or timeouts. curl -H "X-RFToken: 00ABCDXYZXXXXXXXXXXXXXXXXX" "https://XXXXXXXXXX.okta.com" Use (hxxps://splunkbase.splunk.com/app/3682/) this Add-on of OKTA in case if you are seeing issues with your current Add-on (version 1.3.0) since newer one works perfectly and it doesn't need https or http in OKTA domain name settings. Hope this helps!! Thanks, Sai ... View more

@skrish91 Please see my response in the post. ... View more

Run below command on your SearchHead(s) and make sure you are seeing modular inputs are running. [SH1-splunk~]$ps ax | grep modular_input 4218 ? Ss 0:14 python /opt/splunk/etc/apps/splunk_app_cloudgateway/bin/cloudgateway_modular_input.py 11630 ? Ss 1:24 python /opt/splunk/etc/apps/splunk_app_cloudgateway/bin/subscription_modular_input.py 29441 pts/0 S+ 0:00 grep modular_input Also, run the below command on SH's and make sure you are getting results without any timeouts. curl https://prod.spacebridge.spl.mobi/health_check curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: prod.spacebridge.spl.mobi" -H "Origin: https://prod.spacebridge.spl.mobi" -H "Authorization: c014fb4e" https://prod.spacebridge.spl.mobi/mobile Thanks, Sai ... View more

Hi, The best way to check if the akamai logs are ingesting to Splunk or not is to run a curl command on your Splunk HF where HEC is enabled. This will indicate if HEC input is working correctly or not in first place. Example: curl -k http://splunkHFserver1:8088/services/collector/event -H "Authorization: Splunk xxxxxxxxxxxxxxxxxxxxxxxxxxx" -d '{"sourcetype": "akamai:cm:json", "event": "TEST-EVENT-1"}' {"text":"Success","code":0} You should see a success message with Error code 0. if there are errors then check the SSL version used by Akamai and set cipherSuite setting accordingly in $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf Check if the version used by Akamai CM is compatible with your Splunk Version or not. Hope this info helps. Thanks, Sai Appali ... View more

Hi, Use below document for VNX configuration and also make sure you add/edit inputs on the Splunk HF server rather than adding in HF User Interface (UI), https://docs.splunk.com/Documentation/AddOns/released/EMCVNX/InstallVNXCLI Thanks, Sai ... View more

Hi, Remove Scope from inputs.conf and try loglevel as DEBUG to see performance data in Splunk. Below inputs works. [vnx_data_loader://sf_vnx_block] network_addr = 10.X.X.X username = vnxuser password = vnxpassword platform = VNX Block index = emc_vnx loglevel = DEBUG site = SF disabled = 0 Thanks, Sai ... View more

Hi, Add inputs on the Splunk HF server and not from the user interface (UI) and also make sure to remove scope from inputs and restart Splunk process on HF and it works. Note: Use the actual credentials that is used to connect to block array and do not use default (main) index. Try using a specific index for VNX with loglevel as DEBUG. Below configuration works. [vnx_data_loader://vnx_inventory_block] network_addr = 10.X.X.X username = VNXUser password = VNXPass platform = VNX Block index = vnx_test loglevel = DEBUG site = SF disabled = 0 Thanks, Sai ... View more

Hi, Could you please let me know on which Splunk Version you have installed Okta Identity Cloud Add-on? Install Add-on on the Splunk HF and also check the API Token that you are using is valid. You can use curl command to see if the API token used is valid or not, eg: curl -H "apikey: XYZ123XXXXXXXXXXX" "https://XYZ.okta.com/api/v1/users" Thanks, Sai ... View more