All Apps and Add-ons

Is the Splunk Add-on for Microsoft Cloud Services compatible with Splunk Free?

apwsoftware
New Member

Hi,

I have been using the Splunk Add-on for Microsoft Cloud Services on my Splunk Enterprise trial. Now that the trial period has expired it has reverted to the Free license. But this add-on has stopped working. I haven't found anywhere that says it shouldn't work with the free version, and the free version should support apps. So does anyone know why it wouldn't be working?

Splunk Web doesn't render, it just hangs saying Loading...

And if I look at the Network tab I can see that the following two calls:

/en-GB/splunkd/_raw/servicesNS/nobody/Splunk_TA_microsoft-cloudservices/splunk_ta_ms_o365/1.0/ta_o365_server_accounts?output_mode=json&count=10&sort_dir=asc&sort_key=name&search=&offset=0&=1497358763006

and

/en-GB/splunkd/_raw/servicesNS/nobody/Splunk_TA_microsoft-cloudservices/splunk_ta_ms_o365/1.0/ta_o365_server_management_api_inputs?output_mode=json&count=100&sort_dir=asc&sort_key=name&search=&offset=0&=1497358763007

are both returning 500 errors. The message in both cases is:

{"messages":[{"type":"ERROR","text":"External handler failed with code '1' and output: 'REST ERROR[403]: Unauthorized client for the requested action - capability=ta_o365_configuration'. See splunkd.log for stderr output."}]}

Does anyone have any ideas why this would not be working?

Thanks for any help,

Iain

0 Karma

povares_splunk
Splunk Employee
Splunk Employee

Try this:

vi /opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/ca_certs_locater.py

Look for TEMP_CERT_FILE_PATH
and update it to '/etc/pki/tls/certs/ca-bundle.crt'

TEMP_CERT_FILE_PATH = '/etc/pki/tls/certs/ca-bundle.crt'

Save the changes and restart Splunk

Please let us know if this works for you.

https://splunkcommunities.force.com/customers/apex/ArticleDetailPage?URLName=Add-on-Microsoft-Cloud-...

0 Karma

arunsunny
Path Finder

Hey @povares_splunk

Splunk_TA_microsoft-cloudservices/bin/splunktamscs/ca_certs_locater.py

TEMP_CERT_FILE_NAME = 'httplib2_merged_certificates_{}.crt'

Whenever the inputs run this script creates the cert file under /tmp/ directory and it will never get deleted and making /tmp/ directory full.

Is this a bug with the App? 

OR

It's required to create a cert file while running inputs?

 

Regards,

Arun Sunny 

0 Karma

jplumsdaine22
Influencer

I don't think Splunk Free supports custom roles. As you can see in the error message the app is complaining about capability=ta_o365_configuration. If you have a look in /Splunk_TA_microsoft-cloudservices/default/authorize.conf you'll see the custom capabilities provided by the app

[capability::ta_o365_configuration]
[capability::ta_o365_system_configuration]
[capability::ta_o365_get_credential]

To get it work with Splunk Free I suppose you'll need to modify the app to remove reliance on those capabilities, but I don't think its as simple as removing the entries for authorize.conf, if indeed it is even possible.

I notice in the Splunk Base entry for this app (https://splunkbase.splunk.com/app/3110/) it does say that the app is only compatible with Splunk Cloud and Splunk Enterprise, so I'm guessing it won't be able to run with the free version.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...