All Apps and Add-ons

Latency problems (1140mins) for sourcetype o365:service:status/ Python Code Error messages

layamba
Explorer

I am troubleshooting Latency issue for one sourcetype.
When I used this query index=_internal sourcetype=splunk:ta:o365:log level=ERROR

I see this error:

2019-09-05 14:28:42,350 level=ERROR pid=21332 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:67 | datainput="O365_prod_DLP" start_time=1567708121 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 65, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 100, in run
executor.run(adapter)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/batch.py", line 47, in run
for jobs in delegate.discover():
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 125, in discover
subscription.start(session)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 150, in start
response = self._perform(session, 'POST', '/subscriptions/start', params)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 159, in _perform
return self._request(session, method, url, kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 171, in _request
raise O365PortalError(response)
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}


Could this be the reason for the time differences?
Your help will be grateful

hkubavat_splunk
Splunk Employee
Splunk Employee

From the Error Code: AF10001 indicates that permission did not include the expected permission.
You need to enable below permissions to Delegated permission as well as Applications Permission in your azure cloud.
1. ActivityFeed.Read
2. ServiceHealth.Read
3. ActivityFeed.ReadDlp (Optional)
So can you please try to provide access?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...