Hello,
I'm currently trying to migrate from the Microsoft Cloud Services add-on, and had everything working, but twice I've had the 365 add-on silently fail.
As an example, the below is the output of MailboxLogin | timechart count span=15m - the data just stops at 01:45 this morning.
If I go to the 365 add-on settings page, disable all the inputs, and then re-enable all the inputs, it starts reingesting the data back to where it stopped.
I can see in the _internal log if I search for index=_internal sourcetype="splunk:ta:o365:log" | stats count by message, there's 1 message that looks like it might be bad:
2018-08-07 18:35:35,250 level=INFO pid=22835 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:discover:124 | start_time=1533620714 datainput="xxx_Exchange" | message="Access token will expire soon."
This seems to line up with index=_internal sourcetype="splunk:ta:o365:log" datainput=xxx_Exchange | timechart count by message, where everything drops at the same time when the access token expired.
Is there a missing config somewhere to refresh the access token automatically?
... View more