topic Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES) in Splunk Enterprise

Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

Serial98 — Mon, 16 Dec 2024 10:59:17 GMT

Hello,

We have a Splunk indexer cluster with two searchheads and would like to use the addon in the cluster: https://splunkbase.splunk.com/app/4055

We installed the addon on the searchhead without ES and on all indexers via ClusterManager App.

Then we set up all the inputs for the addon on the searchhead and could not select the index “M365” but only enter it manually.

The problem now is that this index is not filled by the indexers!

What are we doing wrong here?

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

isoutamo — Mon, 16 Dec 2024 21:31:13 GMT

i’m not sure if I understand correctly how you have installed ad configured it? Have you followed this instructions where to install it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Install/ ? And then followed this how to configure it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureAppinAzureAD/ ?

Following those steps it should work. If not then you should look troubleshooting from here https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Troubleshooting/

r. Ismo

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

PickleRick — Mon, 16 Dec 2024 23:36:13 GMT

First and foremost - you should not configure inputs on a search head. Set up a separate HF with those inputs and only use SHs for searching.

There might be more issues with your overall setup that we don't know about.

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

Serial98 — Tue, 17 Dec 2024 11:56:02 GMT

Thanks for the quick replies, we have configured a HF and removed the input from the SH.

With the help of the guides we also managed to set the necessary EntraID permissions for the app.

Now it works and all dashboards show data.

Thank you very much!

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

isoutamo — Tue, 17 Dec 2024 13:51:42 GMT

As @PickleRick said, you should use separate HF in distributed environment for all modular inputs, don’t put those into SH. Of course you need TA in SH too, but not inputs configured there.

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

Serial98 — Tue, 17 Dec 2024 14:09:15 GMT

@isoutamo ,

many thanks for the advice, we have now seperated all inputs to the HF. SH is now just for searching but has the TA installed.

@PickleRick many thanks also for the hint!

Re: Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

isoutamo — Tue, 17 Dec 2024 16:10:53 GMT

If you have multiple cores in that HF and if it runs e.g. DB Connect then you should add pipelines into it. That increase it's performance. Usually it's said that don't use more pipelines than 2 on your node unless it's physical server and it's HF. There are some articles/post/blogs about this, where you could found more information about it.