Lookups for the Splunk Add-on for Okta Identity Cloud

The Splunk Add-on for Okta Identity Cloud has the following lookups. The CSV lookup files are located in $SPLUNK_HOME/etc/apps/Splunk_TA_okta_identity_cloud /lookups.

File name	Description
okta2_eventType_related_info_220.csv	CSV Lookup. Maps eventTypes with related CIM fields - change_type, object_category, and object_attrs
okta2_system_log.csv	CSV Lookup. Provides an enriched information about eventType by mapping fields like admin_interest, security_interest, release_note_date, event_type_description, event_type_tags with respective eventTypes.
okta2_app_assigned_group_lookup	KVStore Lookup. Maps app_id with group_id. This lookup is populated when the saved search “Okta2 app group” runs. The lookup populates fields such as - app_id, app_name, app_label, group_id
okta2_app_detail_lookup	KVStore Lookup. This lookup is populated when “Okta2 app detail” when saved search runs. The lookup populates app fields such as id, name, label, created, lastUpdated, status, and signOnMode.
okta2_group_detail_lookup	KVStore Lookup. This lookup is populated when “Okta2 group detail” when saved search is run. The lookup populates group’s fields such as id, type, name, description, usersCount, appsCount, groupPushMappingsCount, app_id.
okta2_user_detail_lookup	KVStore Lookup. This lookup is populated when “Okta2 user detail” savedsearch is run. The lookup populates user fields like user_id, firstName, lastName, loginName, email, secondEmail, primaryPhone, mobilePhone, state, city, countryCode, zipCode, streetAddress, status, created_time, lastUpdated_time, lastLogin_time, activated_time.
okta2_group_member_lookup	KVStore Lookup. This lookup is populated when “​​Okta2 group member” savedsearch is run. The lookup stores the fields group_id, group_name, user_id and user_name.
okta2_app_assigned_user_lookup	KVStore Lookup. This lookup is populated when “Okta2 app user” savedsearch is run. The lookup stores the fields app_id, app_name, app_label, user_name and user_id.