In a cloud instance of Splunk, I've tried to set up the Splunk Add-On for Okta by following the documentation (I've set up 1 data input for user metrics). When running a sourcetype=okta:im
search, no results are returned, and when running the index=_internal source=*ta_okta*
troubleshooting search, the following error messages are what stand out.
Failed to get stanza Okta - Users by data_input manager.
Failed to setup config for okta TA: Failed to get stanza Okta - Users by data_input manager.
What is the reason(s) for these errors, and what are the possible solutions? Again, this is a cloud instance.
Thank you.
Hi bashpd
Hi bashpd
user
for the name, and this was for the preset user metrics data input. Running sourcetype=okta:im
found no results, but running the troubleshooting search, index=_internal source=*ta_okta*
returned no errors.I then tried adding event metrics data input using simply events
as the name, ran the troubleshooting search once more, and that seems to have fixed it. Returned back with 10k records. Thank you!
Now I've got to set up the dashboard to show all the Okta related content. You wouldn't happen to have any insight into how to go about that, or better yet, directions to some documentation for creating a dashboard with predefined panels. Simply creating a new dashboard, and adding the Okta predefined panels doesn't seem to pull any data. Getting no results found
.
EDIT:
I didn't realise I had put the inputs into a non-default index called okta
. Running index="okta" sourcetypey=okta:im
returned results. Now I'll figure out how to adjust the panels to reference the Okta index, and all should be right in the world.
EDIT EDIT:
Got it now. Needed to convert the prebuilt panels into inline search panel
then adjust the search string by amending it with index="okta"
at the start of the line, and it's now pulling in data.
Thanks a lot!
I'm glad it's working.
Renee