Source and event types for the Splunk Add-on for Okta Identity Cloud¶
The Splunk Add-on for Okta Identity Cloud has the following
sourcetypes. The lookup files are
located in
$SPLUNK_HOME/etc/apps/Splunk_TA_okta_identity_cloud/lookups.
The Splunk Add-on for Okta Identity Cloud provides the following source types. The add-on assigns different source types based on the Metric selected from the input.
| Source type | Description |
Event Type |
CIM data models |
|---|---|---|---|
| OktaIM2:log | System log events coming from Okta Rest API endpoints Refer to “CIM compatibility of Okta System Logs” for detailed information of Okta System Logs | okta_identity_cloud_alerts okta_identity_cloud_authentication okta_identity_cloud_change_all_changes okta_identity_cloud_change_account_management okta_identity_cloud_network_traffic |
Alerts Authentication Change:All_Changes Change:Account_Management Network Traffic |
| OktaIM2:app | Okta App events, Not recommended until really needed | okta_app | Inventory:User |
| OktaIM2:user | Okta user events | okta_user | Inventory:User |
| OktaIM2:group | Okta group events | N/A | N/A |
| OktaIM2:groupUser | Users associated to any group | N/A | N/A |
| OktaIM2:appUser | Users associated to any app | okta_app_user | Change:Account_Management |