any idea why we would get these 500 and 401 errors ?
29/06/2019
18:14:40.818
06-29-2019 18:14:40.818 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 500 Server Error: Internal Server Error for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host = HOSTNAME source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
28/06/2019
11:58:24.288
06-28-2019 11:58:24.288 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host = HOSTNAME source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
@Esky73
So these are bad and unauthorized requests from splunk O365 TA. There can be multiple reasons for these, but have you made sure for your Connection into Office365.
This add-on makes use of the Office 365 Reporting Web Service (https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...). This should be easy to test this web service outside of Splunk using cURL or Postman.
Let me know. Thanks