# OKTA System Log API

This data pipeline extracts the System logs from Okta technology using the Log API.

<figure><img src="/files/TNSQErXOjd1BuYBsas78" alt=""><figcaption></figcaption></figure>

This Pipeline integrates with API Logs from the OKTA Platform using the[ **HTTP Pull**](broken://pages/bZ07iBY7MKqfhB9A0NAf) Listener, transforming it from JSON to CSV format.

## Listen

The Listener pulls events using the **Configure as YAML** option, using the following YAML:

<pre><code><strong>withTemporalWindow: true
</strong>temporalWindow:
  duration: 1m
  offset: 1m
  tz: UTC
  format: "2006-01-02T15:04:05"
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: "webLinking"
  limit: 1000
  request:
    responseType: json
    method: "GET"
    url: "****************"
    headers:
      - name: Accept
        value: "application/json"
      - name: Content-Type
        value: "application/json"
      - name: Authorization
        value: "**********"
    queryParams:
      - name: since
        value: "${temporalWindow.from}"
      - name: until
        value: "${temporalWindow.to}"
  output:
    select: "."
    map: "."
    outputMode: "element"
</code></pre>

{% hint style="info" %}
See the article dedicated to setting up OKTA system log APIs [here](/marketplace/falcon-onum-marketplace/pulling-pipelines/okta-system-log-api.md).
{% endhint %}

## Transform OKTA data

### Flat JSON

We need to flatten the incoming JSON with key-value pairs that we can then parse into more specific fields.

<figure><img src="/files/XhQFW5qQsSPsJzmc9WXa" alt=""><figcaption></figcaption></figure>

### Parser

The parser extracts the individual fields coming from the OKTA JSON into more detailed fields, including severity, actor information, user agent data and other transaction data.

<figure><img src="/files/zeuLJQCVwM1h1BuDz4oO" alt=""><figcaption></figcaption></figure>

### Message Builder

We use the [**Message Builder** ](/the-workspace/pipelines/actions/formatting/message-builder.md)action to transform the fields to CSV format, using a comma as the delimiter.&#x20;

You can now send on your CSV containing OKTA logs to your preferred destination using a sink.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/okta-system-log-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.