topic Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration in All Apps and Add-ons

Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

rayar — Wed, 27 Jan 2021 09:00:28 GMT

I have the input working for long time

after it stopped working I have reinstalled the Add-on 1.2.4

Now I am a lot of data I need to import

how you would recommend to setup the input (delay_throttle , query_window_size ,interval ) ?

[splunk@ilissplfwd05 local]$ cat inputs.conf

[ms_o365_message_trace://o365tracking]
delay_throttle = 720
index = o365
input_mode = continuously_monitor
interval = 30
office_365_account = o365tracking
query_window_size = 30
start_date_time = 2021-01-21T00:00:01
disabled = 0
[splunk@ilissplfwd05 local]$

Re: Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

becksyboy — Wed, 27 Jan 2021 11:18:58 GMT

You should be able to do an index once. Can't remember how far you can go back but you should be able to do 20-30 days worth?

[ms_o365_message_trace://index_once]
delay_throttle = 1
index = ********
input_mode = index_once
interval = -1
office_365_password = ********
office_365_username = ********
query_window_size = 60
start_date_time = 2021-01-01T11:01:01
end_date_time = 2021-01-27T11:01:01

Re: Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

rayar — Wed, 27 Jan 2021 15:34:31 GMT

thanks a lot

I will create a separate input for "Index Once"

What values you would recommend for "Continuously Monitor" ?

Re: Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

becksyboy — Wed, 27 Jan 2021 15:50:55 GMT

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporting-Add-on-for/m-p/437206#M53764

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".

Re: Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

becksyboy — Thu, 28 Jan 2021 10:50:36 GMT

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti...

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".