Hello,
My question is regarding Okta Add-on for splunk. ( Okta Identity Cloud Add-on for Splunk | Splunkbase
We discovered that the user import has not been able to fetch all the user accounts. We have been running this add-on for past 6 months or so.
As per the product documentation, the users input job should import all the user accounts in its 1st run and thereafter in subsequent runs, it only brings in the users who have been modified or changed. But in our case, we are seeing that even the 1st run did not bring in everything.
When we query index=okta sourcetype=OktaIM2:user for time range : ALL TIME, or last 1 year , it shows about 4000 user accounts . But in our Okta console there are about 8000+ user accounts.
What could be the cause of this discrepancy ?
Things i tried: Created a new input for Metric Type: Users and pointed it to save to a new index. Yet even in this new index, it did not pull in all the users, but just the ones that are modified from the date this new input was created.
Is there a way to manually run the user import to fetch everything from scratch ? Kindly assist. These are our settings
