Issues with using Splunk to poll activity data from PingOne.

Index not populated

Look at splunkd.log for clues. The script writes to and reads from a file, and it needs the appropriate permissions to do so.

Getting too much data

Consider filtering for the type of events you're interested in. In the script, look at activitiesRequestOptions and add a filter parameter at the end of the URI that meets your objective, such as: uri:'{lowerbound}%22%20and%20createdat%20le%20%22{upperbound}%22%20and%20action.type%20in%20(%22USER.CREATED%22%2C%22USER.UPDATED%22)&limit=500',

Not seeing status.json

Ensure that you have updated the STATUS_FILE constant to point to the appropriate location, such as: const STATUS_FILE = "/Applications/Splunk/bin/scripts/tmp/status.json";

Getting duplicate events

In case of errors, intervals will be retried and the client will receive duplicates. The handling of duplicates is the responsibility of the client, but you can use the Splunk | dedup id function to manage duplicates.

Not running a local Splunk instance

These instructions are for a local instance of Splunk. However, because the script prints results, you can use it with forwarders on a hosted solution.