Hello, We released a new version of the Okta app yesterday that addressed this issue (among others) -- hopefully this helps! ... View more

Hello, I released a new version of the Okta app yesterday that hopefully addresses the issues others were seeing. If you have a specific use case I'd like to hear more about it so we can make the app more useful to everyone! ... View more

Hi Florian, I released a new version of this yesterday -- can you please let me know if this resolves your issue? Thanks! ... View more

Rogier, Have you updated to the latest release? We had something break with the Okta API. Please feel feel free to reach out to me directly to troubleshoot this. ... View more

Thanks for answering! In addition to jensihnow's comment-- If your website has multiple components (for example, if you use a CDN for static assets on a cookie-less domain), make sure you enter a separate Pinger stanza for each distinct domain. E.g., cdn.example.com, www.example.com. There are several examples in default/pinger.conf.example and the entire specification can be found in default/pinger.conf.spec Cheers! ... View more

In props.conf, you want to disable linebreaking. Just create (or use an existing) stanza for the sourcetype for your scripted input: [your_sourcetype] SHOULD_LINEMERGE = false For more info, check out the props.conf documentation: http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf ... View more

I traced the issue in your original report from the logfiles. I just posted 2.2 to address this issue -- it is a bug with Pinger introduced in 2.1. Thanks for helping me find it! ... View more

Ok thanks -- please let me know if you change your mind. More than happy to work with you through the config. ... View more

Hi! I'm Paul and Pinger is my creation. I included Windows directions in the README.txt in the app root but I'll paste the net here: Windows uses different path delimiters from *NIX or Mac. You must recreate the scripted input in local/inputs.conf and reverse the direction of the slashes. i.e.: [script://./bin/heartbeat.py] should become: [script://.\bin\heartbeat.py] on Windows ONLY. Be sure that you clone the stanza in inputs.conf and don't edit the default! Sorry for the confusion! I'll try to find a way to make that more visible. Also, the list of sites will populate within one hour. You can run the saved search "pinger_populate_sites" manually if you want it to populate before that. It builds a lookup table to populate the dropdown much more quickly. ... View more

That source might be the product of a summary index saved search. You shouldn't have to change the sources that are predefined. Not sure what sourcetype="vorcast" is. The web intelligence app should be looking for Apache access_combined or Microsoft IIS logs. These should be sourcetype="access_combined" or sourcetype="iis" If you open your search app, can you get results for any of the following searches? sourcetype="access_combined" sourcetype="access_common" sourcetype="iis" ... View more

In that box, you should put something like: index="main" sourcetype="access_combined" Of course, replace the index and sourcetype with actual values from your instance. ... View more

Have you gone through the setup process? /en-US/app/webintelligence/setup Particularly #3 -- "Specify Log Sources." It's been some time since I configured the app for web intelligence but this would certainly impact the population of the bundled dashboards. If so, do other dashboards populate? Do you get any error messages? Have you made any changes to the saved searches or eventtypes defined in the stock WI app? ... View more

Where are you searching? I'm using this URI: http://splunk-server:port/en-US/app/webintelligence/flashtimeline You can't just use the sourcename in the query without first specifying the lookup table as I mentioned above using the "lookup" command. The field does not exist before this. ... View more

If you want to search for a particular sourcename, use eventtype=web-traffic | lookup sourcenames.csv source outputnew sourcename | search sourcename="<SOURCENAME_TO_SEARCH>" Sourcename is not in the original event data so you must enrich the data through the lookup table. Keep in mind you'll need to be within the web intelligence app as neither the lookup nor eventtype have global visibility. ... View more

In your authentication.conf file: [roleMap_suAdmins] suadmin = user1.lastname;user2.lastname;user3.lastname;user4.lastname;user5.lastname Try changing this line: suadmin = AD_GROUP_NAME And make sure that user1.lastname is a member of that group in AD Also, we use this under the [suAdmins] stanza: groupBaseFilter = (objectClass=group) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn We're also on AD authentication. Hope this helps! ... View more

Hi Nick, I would expect this to be somewhat of a normal distribution (I failed to mention the range struck me as odd as well). The logs on which Splunk chewed are for the webserver only -- meaning only HTML (and headers for redirects, 404s, etc) are being served. We use Amazon CloudFront to distribute static assets including images, video, scripts, and stylesheets. The CDN origin logs to a different file and I did not import the origin logfiles to avoid skewing the data. The one-week logfile contained more than 1.5m lines and is the very reason I've never tried to analyze this by hand 🙂 ... View more