The Okta Source in Cribl Stream pulls security and audit activity from the Okta System Log API, so you can filter, enrich, and route Okta events to your downstream observability and security tools.

Type: Pull | TLS Support: Yes | Event Breaker Support: Yes

TLS is provided via HTTPS on the underlying Okta System Log REST API. This Source automatically handles event breaking and pagination via Okta’s Link headers.

Prerequisites ​

• A Cribl Stream deployment (Cloud or self-hosted).
• Your Okta org domain.
• An Okta API token authorized for System Log access.

How the Okta Source Handles Data ​

The Okta Source is a managed version of the REST Collector. When a collection job runs, Cribl Stream automatically manages the complex stages of API interaction. While these stages are not individually configurable in the UI, the job executes in the following order:

1. Authentication: Connects to the Okta API using your stored secret/token.
2. Collection: Pulls logs from the /api/v1/logs endpoint, automatically handling pagination via Link headers.
3. Event Breaking: Automatically splits the returned JSON array into individual events.
4. Pre-Processing (Optional): Applies any Pipelines or Packs you have selected in the Processing Settings.

For a detailed look at the underlying mechanics, see How REST Collectors handle data.

Configure an Okta Source ​

1. On the top bar, select Products, and then select Cribl Stream. Under Worker Groups, select a Worker Group. Next, you have two options:
   • To configure via QuickConnect, navigate to Routing > QuickConnect. Select Add Source and select the Source you want from the list, choosing either Select Existing or Add New.
   • To configure via the Routes, select Data > Sources. Select the Source you want. Next, select Add Source.
2. In the Source modal, configure the following under General Settings:
   • Input ID: Enter a unique name to identify this Okta Source definition. If you clone this Source, Cribl Stream will add -CLONE to the original Input ID.
   • Description: Optionally, enter a description.
   • Okta API token (text secret): Select or create a stored text secret
   • Okta domain: Your Okta domain (for example, your-org). Do not include .okta.com, https://, or trailing slashes.
   • Cron schedule: Schedule on which to run this collection job. Defaults to */5 * * * *. See Scheduling for additional information.
   • Earliest: Earliest time for data collection, relative to now. Defaults to -7d@d.
   • Latest: Latest time for data collection, relative to now. Defaults to now.
   • Job timeout: Maximum time the job is allowed to run (for example, 30, 45s or 15m). Units are seconds, if not specified. Defaults to 0 meaning unlimited time.
   • Tags: Optionally, add tags that you can use to filter and group Sources in in Cribl Stream’s UI. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
3. Optionally configure Processing Settings, Retries, and Advanced Settings.
4. Under Connected Destinations, choose Send to Routes and/or QuickConnect depending on how you want data to leave this Source.
5. Select Save, then Commit & Deploy.

Scheduling ​

The Okta Source’s Cron schedule controls when export/list/download jobs run.

Job timeout: Maximum runtime for a job (30, 45s, 15m, and so on). Minimum granularity is often 10 seconds. Default 0 means no timeout.

Earliest and Latest: Relative time range for events to collect, using the same syntax as other REST Sources:

[+|-]<time_integer><time_unit>@<snap-to_time_unit>

Syntax reference:

Rules:

• Earliest must not be later than Latest.
• Values without units are interpreted as seconds (for example, -1 = -1s).

Snap-to-time syntax ​

@ rounds down from the evaluated time. For example:

• @d - start of the current day.
• +128m@h - forward 128 minutes, then snap back to the hour boundary.

Week/month/quarter/year snaps (@w, @w1-@w6, @mon, @q, @y) behave like other Cribl Stream Collectors.

Processing Settings ​

Fields: Add fields to each event using Eval. Values can be JavaScript expressions or constants. Fields defined here normally override same-named fields on the event unless you choose to let event fields win.

Pre-Processing: When Send to Routes is enabled, optionally select a Pipeline (or Pack) to run on collected events before they enter Routes.

Retries ​

Adjust how failed HTTP requests are retried.

Retry type: Backoff (default), Static, or Disabled.

Initial retry interval (ms): Delay before the first retry after a failure. Max 20,000 ms. 0 means retry immediately until Retry limit is reached.

Retry limit: Max retries per failed request (default 5, max 20). 0 disables retries.

Backoff multiplier: Base for exponential backoff (default 2).

Retry HTTP codes: Defaults typically include 429 and 503. Non-2xx responses are errors.

Honor Retry-After header: When enabled (default), honor Retry-After up to the product maximum (longer delays may be ignored). Stream logs the delay when applicable.

Retry connection timeout / Retry connection reset: Optionally retry on ETIMEDOUT or ECONNRESET for more resilient long downloads.

Advanced Settings ​

Request timeout (seconds): Max time to wait for a request (defaults to 0 meaning wait indefinitely).

Time to live: How long Collector job artifacts remain on disk and in Job Inspector (default often 4h).

Environment: For GitOps, optionally limit this config to a single Git branch.

Connected Destinations ​

Send to Routes: Use the Routing table for conditional routing, filtering, and cloning.

QuickConnect: Send this Source’s output directly to one or more Destinations.

Internal fields ​

Cribl attaches the following Internal fields as metadata you can use in Functions:

• __collectible: Per-job metadata (collectorType, collectorId, and resHeaders when Capture response headers is enabled).
• __collectStats: method, url, elapsedMS for the Collect request.
• __inputId: Job identity - ad hoc: collection:<timestamp>.<randomId>.adhoc.<Collector ID>; scheduled: collection:<Collector ID>.

Proxy requests ​

To send Collect/Discover traffic through an HTTP/S proxy, configure System proxy settings.

Troubleshoot ​

• Non-200 HTTP responses are errors: behavior for multi-task jobs and redirects matches the REST Collector. See Response errors.
• Stuck jobs: Set Request timeout (seconds) in Advanced Settings and/or Job Timeout in task manifest limits.
• TypeError [ERR_INVALID_URL]: Usually from over-encoding the full URL; encode only the variable segments. See Troubleshoot in the REST Collector guide.
• 429 Too many requests: Reduce parallelism, widen schedule intervals, and respect Okta rate limits. See Troubleshoot in the REST Collector guide.