The Okta Splunk add-on may unexpectedly stop sending logs to Splunk if Okta experiences connectivity issues on one of its cells. The goal of this knowledge article is to clarify how to reset the Okta Splunk Add-On when it stops sending logs to a Splunk instance.
- Okta Splunk add-on
- Splunk
A connectivity issue on an Okta cell prevents the Okta Splunk add-on from reaching the Okta tenant.
-
Log in to the Okta Splunk add-on on the Splunk instance.
-
Set the log limit to 1000 (defaults to 100).
-
Pause the current input.
-
Identify how far behind the current collector is by using the following Splunk query:
index=_internal sourcetype="OktaIM2:addon" "stash n_val"
| eval after_time = tonumber(mvindex(split(after, "_"), 0))/1000
| eval current_seconds = _time
| eval minutesInPast = (current_seconds - after_time)/1440
| timechart span=10m max(minutesInPast) by limit-
Set the log history value on the additional settings page to the delay duration plus 1 day.
-
Define a new account using a distinct name. Use the same API token from before.
-
Define a new log input that refers to the newly defined account.
NOTE: If this solution does not resolve the issue, recreate the API key and reconfigure the Okta Splunk add-on. Splunk LLC builds the Splunk Add-on, and Okta does not officially support it. Okta recommends users currently utilizing the archived Okta Identity Cloud Add-on for Splunk use the Splunk Add-on for Okta Identity Cloud.
