HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- Validation for scheme=ms_o365_message_trace failed: The script returned with exit status 1.\". See splunkd.log for more details."}]}
local/inputs.conf has the stanza header like this:
[ms_o365_message_trace://NNN-O365]
I've read through the bin/ms_o365_message_trace.py and it would seem like a syntax error ... the code seems to refer to a mandatory value pair of name = NNN-O365. What am I doing wrong?
We configure our remote HFs using conf files directly as there is no easy way to run the gui on them (AWS, corporate network, etc, etc)
Cheers
You have to use the GUI to set up the input intially as this does the password saving/hashing ...
THEN you have to remove the $orderby=Received asc from the URL in the python bin/input_module_ms_o365_message_trace.py
THEN ... maybe ... tweak the timings/delay values to stay under 10000 events per incantation
Plus, no hyphen/dash in the name, needs to be underscore ...
Reliably doing 60k+ events in the continuous and 300k+ in the index_once. Arriving at the appropriate time window/interval size has been more error than trial. Note that the TA will buffer the incoming events into memory until it's finished its retrieval cycle from the REST API. This will especially come into play if this TA is co-located with others such as SAMCS.
Both methods can run simultaneously. We're doing 15min interval for the continuous and a 1.5h window for the index_once. Using the GUI to update the index_once values each time WILL RESTART just the index_once input - WooHoo!