All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Office 365 hangs randomly

wojtek25
Engager
‎04-18-2019 05:10 AM

Hello,

plugin is configured to get Office 365 audit logs (Exchange, Sharepoint, Teams, etc.).
The problem is that from time to time it's just stops ingesting some of inputs.
If then input is manually disabled and enabled from a GUI, ingesting is working again.

Internal log shows no errors, just standard messages like: ..success, ..found, ..available content.
Then after a gap there is a message: Loop has been aborted (which is probably according to disabling/enabling input). After that there are standard messages again.

  1. Has anybody had similar problem with this plugin and what could be a solution?
  2. Would you suggest using another app: Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/#/overview) ?

Regards,
Wojtek

Reply

wojtek25
Engager
‎05-27-2019 12:12 AM

Here are the changes to the scripts that fix that problem:

In lines 166 to 168 in file splunk_ta_o365/bin/splunk_ta_o365/common/portal.py, add timeout at line 167 like this:

logger.debug(‘Calling management activity API.’, url=url, params=params)
response = session.request(method, url, params=params, timeout=60)
status_code = response.status_code

In lines from 117 - 119 in file splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py, change the lines 117 and 119 like this:

now = self._now() // 86400 * 86400 + 86400
end_time = datetime.utcfromtimestamp(now)
start_time = end_time - timedelta(days=7)

Regards,
Wojtek

Reply

crisponions2
Explorer
‎05-24-2019 10:12 AM

I am having this issue as well and have been for a while. I had a cron job running that disabled and reenabled the ingesting every night, but it seems to be failing several times a a day now.

Same symptoms. Suddenly I will show no input, nothing in the logs of why it stopped. If I disable/enable from the GUI eveything starts flowing again.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...