All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

MS O365 Message Tracing - HTTP500/400 on TA Start - Config Issue?

tobinbxnz
Explorer
‎02-27-2019 10:04 AM

HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- Validation for scheme=ms_o365_message_trace failed: The script returned with exit status 1.\". See splunkd.log for more details."}]}

local/inputs.conf has the stanza header like this:

[ms_o365_message_trace://NNN-O365]

I've read through the bin/ms_o365_message_trace.py and it would seem like a syntax error ... the code seems to refer to a mandatory value pair of name = NNN-O365. What am I doing wrong?

We configure our remote HFs using conf files directly as there is no easy way to run the gui on them (AWS, corporate network, etc, etc)

Cheers

0 Karma
Reply

tobinbxnz
Explorer
‎02-27-2019 03:27 PM

You have to use the GUI to set up the input intially as this does the password saving/hashing ...

THEN you have to remove the $orderby=Received asc from the URL in the python bin/input_module_ms_o365_message_trace.py

THEN ... maybe ... tweak the timings/delay values to stay under 10000 events per incantation

0 Karma
Reply

tobinbxnz
Explorer
‎03-01-2019 08:57 AM

Plus, no hyphen/dash in the name, needs to be underscore ...

Reliably doing 60k+ events in the continuous and 300k+ in the index_once. Arriving at the appropriate time window/interval size has been more error than trial. Note that the TA will buffer the incoming events into memory until it's finished its retrieval cycle from the REST API. This will especially come into play if this TA is co-located with others such as SAMCS.

Both methods can run simultaneously. We're doing 15min interval for the continuous and a 1.5h window for the index_once. Using the GUI to update the index_once values each time WILL RESTART just the index_once input - WooHoo!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...