mbegan
commented
2 years ago If you have PII concerns - DO NOT ingest user data. i.e. don't define the user metric inputs.
I actually advise that nobody turn on anything other than log inputs. the users, groups, and app data are superfluous.
specific to this question - users.
When you define the user metric input the add-on retrieves user objects from Okta - this includes all of the profile information you have defined and populated in your Okta tenant.
the specific fields that are included in the lookup table are configurable - feel free to modify them in your instance.
Hello, we are collecting this sourcetype="OktaIM2:user" and it contains the field profile.birthday. We are a Splunk Cloud user and need this to be available from just the TA if we could. If there was an option to exclude certain fields or to have them masked would be ideal. We are currently collecting this data back to a summary index but is only a temporary fix and we don't have a HF instance to run and to have other parsing taking place, such as props and transforms. If we could have the collection happen for sourcetype="OktaIM2:user" and to exclude the birthday field and possibly any others that contain PII would be ideal. Thanks.