All Apps and Add-ons

Why am I getting an error instead of data with MSO365 Reporting add on for Splunk?

MikeBertelsen
Communicator

Reviewing the /opt/splunk/var/log/splunk/ta_ms_o365_reporting_ms_o365_message_trace.log,
I see the following:

2018-04-02 10:32:15,061 ERROR pid=31792 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderby=Received%20asc&$filter=StartDate%20eq%20datetime'2018-03-28T10:32:14.556660Z'%20and%20EndDate%20eq%20datetime'2018-04-02T15:29:14.556674Z'

Any help would be appreciated

0 Karma

kaviyab
New Member

Hi,

Can we use oauth (bearer) token to get these details?

Thanks,
Kaviya,

0 Karma

jconger
Splunk Employee
Splunk Employee

This add-on makes use of the Office 365 Reporting Web Service. It is pretty easy to test this web service outside of Splunk using cURL or Postman (my personal favorite as of this writing) because the web service uses Basic Auth - meaning you can enter your O365 username and password and send the request without having to obtain an OAuth access token.

Here is a screenshot of using Postman to test the web service:

alt text

Try copying/pasting the URL you get in the error message into cURL or Postman to get more information.

0 Karma

GarethPayne
New Member

I was also getting this error. Under the configuration section of the Reporting Add-on, I re-entered the username (SMTP address) and password and saved. Connection into Office365 was then good and the error ceased.

0 Karma

xvieni
Engager

We experienced the exact same symptoms when we deployed this app. After some investigation together with our windows/AD guys we found that the O365-account we are using for this was setup for “multifactor authentication”.
After configuring the correct exceptions for this account everything is working perfectly.

//Nico

0 Karma

kaviyab
New Member

Can u please share the steps to resolve this issue for “multi factor authentication” environment?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...