All Apps and Add-ons

After the Microsoft Office 365 App for Splunk was successfully installed, why are the dashboards not populating?

clozach
Path Finder

Hi,

I installed the add-on for Microsoft Office 365 and then installed the app for Microsoft Office 365 for the dashboards. The installation went fine, but the dashboards are not populating. When I open the searches, it looks like it's using data models or something.

Does anyone know anything about this? Below is a search from a dashboard panel with no results.

o365_sourcetypes` Workload=AzureActiveDirectory | timechart dc(user)
1 Solution

ChrisBell04
Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

View solution in original post

ChrisBell04
Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

rlait_splunk
Splunk Employee
Splunk Employee

Hey Chris, thanks for the feedback. I've updated the searches to include a default index macro.
Edit the m365_default_index macro to include your M365 index.
v3.0.1 is now up on Splunkbase.

Cheers,
Ryan

0 Karma

ChrisBell04
Communicator

@rlait_splunk
Thanks for the fast fix and release!

0 Karma

ssattler
Path Finder

getting permissions errors, the documentation is not quite clear, or current for o365, the o365 admins are stuck, I can see permission errors and they have no idea what to change...

0 Karma

rlait_splunk
Splunk Employee
Splunk Employee

the o365_sourcetypes macro is just an easy way of defining the sourcetypes from both the O365 add-on and the Microsoft Cloud Services add-on sourcetype. You can expand the macro inline by hitting Ctrl+Shift+E on your keyboard. (Command+Shift+E on mac).

Check that the Splunk role you're using is searching specific indexes by default. Best practise for building dashboard content is to exclude index definitions.

Worst case you could edit the macro and prefix the macro with index="YOUR O365 INDEX"

Hope that helps!

richgalloway
SplunkTrust
SplunkTrust

The unfortunate thing about Splunk apps is they're not magic. Sometimes they work right out of the box and sometimes they don't. It depends on your data.

Start by looking at the o365_sourcetypes macro. Does it reference a sourcetype that exists in your data? What about the index name?

Does your data have fields called 'Workload' and 'user'?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...