O365 is configured to send the messagetrace logs to splunk heavyforwarder. O365 is configured to send the messagetrace logs are intermittently logged. 0365 team said there is no blocker from their end. O365 is configured to send the messagetrace logs to splunk heavyforwarder. In this case somehow the logs never came to splunk in those gaps. We are trying to understand what happened. I have attached a screenshot which shows a instance where the logging is intermittent. We had reached out to Splunk support with a vendor case and they said that they wont be able to support this as its a community app/add on. The issue continues to occur to this day.
Do you see any errors in the _internal index related to this add-on?
index=_internal source="*ta_ms_o365_reporting_ms_o365_message_trace*"
Also, check your input parameters like window size and delay throttle. For more information on what those settings do, check out this post -> https://answers.splunk.com/answers/719725/input-settings-for-microsoft-office-365-reporting.html
any update on this?
This Add-on has been pretty reliable for me so this seems pretty odd...