- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Query Window Size is required and should be at lea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query Window Size is required and should be at least 1 minute
[ms_o365_message_trace://Ouro365data]
delay_throttle = 1440
index = o365
input_mode = continuously_monitor
interval = 3600
office_365_password = THE_PASSWORD
office_365_username = Our_account@email.thing.stuff
query_window_size = 60
sourcetype = ms:o365:reporting:messagetrace
^That is our inputs.conf in local for the app. Was created via the GUI. However, after upgrade and having to switch to user/password, the app is now complaining about query window size.
HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.rest_handler.error.RestError'>\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\". See splunkd.log for more details."}]}
That is from the var/log/splunk/ta_ms_o365_reporting_ms_o365_message_trace.log
06-26-2018 18:01:36.514 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n
^Splunkd.log line
Has anyone else had this issue or have a fix. I've completely deleted the local folder (after backup) and then even re-installed the app fresh and created an input from scratch. Still not recognizing that query_window_size is set.
Please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per comment, this worked for me:
Edit /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py
Manually set query_window_size and delay_throttle like so:
def validate_input(helper, definition):
input_mode = definition.parameters.get('input_mode')
interval = definition.parameters.get('interval')
query_window_size = 60
delay_throttle = 1440
# query_window_size = definition.parameters.get('query_window_size', None)
# delay_throttle = definition.parameters.get('delay_throttle', None)
start_date_time = definition.parameters.get('start_date_time', None)
end_date_time = definition.parameters.get('end_date_time', None)
start = None # Local instance of start date
end = None # Local instance of end date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's odd that you see this behavior after an uninstall/reinstall. Make sure the query_window_size isn't overridden somewhere by using btool from the command line:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug | grep "query_window_size"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same problem. The btool command suggests only one source for the query_window_size setting. I'm not sure what changed when, but it was working fine before. I've not changed anything that I know of.
The end result is that this app no longer works and I was finding it very useful. Is there a fix? Anything I can try?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I manually editing the values in /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py
To this:
def validate_input(helper, definition):
input_mode = definition.parameters.get('input_mode')
interval = definition.parameters.get('interval')
query_window_size = 60
delay_throttle = 1440
# query_window_size = definition.parameters.get('query_window_size', None)
# delay_throttle = definition.parameters.get('delay_throttle', None)
start_date_time = definition.parameters.get('start_date_time', None)
end_date_time = definition.parameters.get('end_date_time', None)
start = None # Local instance of start date
end = None # Local instance of end date
it seems to be working again.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
