Open sbrar-splunk opened 2 years ago
In the TA on your IDM, you should have Inputs configured to pull in Okta data. When you set up an input, you must select which "metric" you want the input to return. In the version I'm running, there are four types of Metrics: Logs, Users, Groups and Apps. I think if you just find the input which is configured to pull the "Users" metric and disable it, that should eliminate those API calls. In my stack, events returned by that input are tagged with sourcetype="OktaIM2:appUser".
No, this is not the User API (metric). That one is fine, and the sourcetype for it is OktaIM2:user. This is about the App API, which also hits skinny_user to pull the AppUser component.
OK. I'm no expert in these logs. I just thought I would try and jump-start the conversation for you a little. We use the TA too, so I have a vested interest in it.
We're collecting from the Apps API and are regularly hitting rate limits. It appears the add-on also collects AppUsers from the same endpoint. To reduce the number of API calls, please add an option to disable the AppUsers component (skinny_user). If this is possible today, please let us know how we can disable it.