All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

MS O365 Message Tracing - HTTP500/400 on TA Start - Config Issue?

tobinbxnz
Explorer
‎02-27-2019 10:04 AM

HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- Validation for scheme=ms_o365_message_trace failed: The script returned with exit status 1.\". See splunkd.log for more details."}]}

local/inputs.conf has the stanza header like this:

[ms_o365_message_trace://NNN-O365]

I've read through the bin/ms_o365_message_trace.py and it would seem like a syntax error ... the code seems to refer to a mandatory value pair of name = NNN-O365. What am I doing wrong?

We configure our remote HFs using conf files directly as there is no easy way to run the gui on them (AWS, corporate network, etc, etc)

Cheers

0 Karma
Reply

tobinbxnz
Explorer
‎02-27-2019 03:27 PM

You have to use the GUI to set up the input intially as this does the password saving/hashing ...

THEN you have to remove the $orderby=Received asc from the URL in the python bin/input_module_ms_o365_message_trace.py

THEN ... maybe ... tweak the timings/delay values to stay under 10000 events per incantation

0 Karma
Reply

tobinbxnz
Explorer
‎03-01-2019 08:57 AM

Plus, no hyphen/dash in the name, needs to be underscore ...

Reliably doing 60k+ events in the continuous and 300k+ in the index_once. Arriving at the appropriate time window/interval size has been more error than trial. Note that the TA will buffer the incoming events into memory until it's finished its retrieval cycle from the REST API. This will especially come into play if this TA is co-located with others such as SAMCS.

Both methods can run simultaneously. We're doing 15min interval for the continuous and a 1.5h window for the index_once. Using the GUI to update the index_once values each time WILL RESTART just the index_once input - WooHoo!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...