All Apps and Add-ons

Splunk Add-on for Microsoft Office 365: input tab displays not found banner on Splunk Cloud

nathanluke86
Communicator

I have installed 0ffice 365 add-on on the local search head and Heavy Forwarder.
The Input tab in o365 addon is not showing the index I created on Splunk cloud.

I have also tried installing the o365 add-on on Splunk Cloud but the input tab in o365 displays a "Not Found" banner.

I have managed to get o365 logs into splunk (searchable on cloud and local SH) but I cant seem to get it to the right index (On the local search head I can only get the main index).

I'm fairly new to SPLUNK so any help would be appreciated.

My setup consists of a heavy forwarder, local search head, managed Splunk cloud and a deployment server.

vascdanut
New Member

Hello, I am not sure if I can get any help as this topic is pretty old, but hopefully, someone is facing a similar issue and has an answer. I have installed the Splunk Add-on for Microsoft Office 365 version 3.0.0 on a Victoria Experience cloud instance, and I receive the same "Not Found" error on inputs. On this cloud instance, there is no need to configure an index through an IDM, nor install the app through a support ticket. I can see my index in the configuration of the inputs, but still, receive the same error. Has anyone been able to solve this? Thank you!

0 Karma

amckinnie_splun
Splunk Employee
Splunk Employee

in Splunk Cloud, Inputs for this app are not allowed on the SH at this time. You will have to add the inputs via the IDM as @nathanluke86  stated. 

0 Karma

harrysof
Explorer

I have the same issue, so I put in a ticket right now with splunk support. Let's see what they come back with.

0 Karma

henriquelinsmey
Explorer

Hi harrysof, have you heard anything back yet from Cloud Ops team? Same issue here.

0 Karma

harrysof
Explorer

Yes I did. Turns out you cannot use it on Splunk cloud, as the inputs.conf file cannot be edited if you are using managed splunk cloud services.

I was told to install this app on my heavy forwarder to get the inputs to work correctly.

0 Karma

nathanluke86
Communicator

Finally managed to get this working, Splunk provided an idm to run alongside Splunk Cloud. I would suggest issuing a support ticket and asking for access to an idm. I was running the app on a local search head but had issues with indexing.

0 Karma

henriquelinsmey
Explorer

Hi nathanluke86,
Splunk Cloud IDM solves the problem!!
**To create inputs under customized index (not main/default) you should create the new index on the IDM environment first, which will then be replicated to the other instances part of the cluster.

nathanluke86
Communicator

The IDM is managed by splunk. I asked for the o365 app to be installed and specified to support which index I would like to use.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...