All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Office 365 Reporting Add-on for Splunk: Is it possible to reset the start time without reinstalling the App?

bradp1234
Path Finder
‎11-13-2018 10:22 AM

I have experienced this issue twice. The app will crash and get behind and not be able to catch up. I think o365 api only keeps a certain time frame of logs and then after that they are not accessible. Once the installation is querying the logs that are inaccessible, the app never catches backup to when logs are present. In the past the only solution was to reinstall the app. But the start and end date must be located in a kvstore or lookup somewhere. Has anyone figured out how to update those values without reinstalling the app? I have tried the web interface, but once the app gets started it doesn't seem to respect the start date inputted into the web configuration. Any help is appreciated.

Using version 1.1.0 of the app
Splunk enterprise version: 6.6.7

Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-04-2019 11:55 AM

Hi bradp1234,

I had a similar issue where the input stopped unnoticed for mare than 2 weeks, and once it was restarted the events were no longer available from the MS API :facepalm:

It took me some time to troubleshoot the script/issue, but once I found who and where the checkpoint is accessed it was easy to manually check and update the checkpoint hidden deep inside this weird REST API / KV store construct.

You can use this command to see the checkpoint:

curl -k https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

And you can use this command to modify the checkpoint:

curl -k --header "Content-Type: application/json" --request POST --data '[ { "state" : "{\"max_date\": \"2018-11-20 18:56:17.772814\"}", "_user" : "nobody", "_key" : "O365_<input name here>_checkpoint"}] ' https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

Hope this helps should you have further issues ...

cheers, MuS

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

0 Karma
Reply
Solved! Jump to solution

bradp1234
Path Finder
‎12-07-2018 12:39 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...