https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/507417#M86348 <P>Hello,</P><P>I'm trying to use Splunk Add-on for Microsoft Office 365 to collect service status from O365 Via azure API. I have configuration that each 5 minutes i'm asking about service status and i have noticed that for a few days in rows it works but afterwards Splunk receive events for certain sourcetype only once per day at 2am. The problem is only with sourcetype: o365:service:status. Another sourcetype form the same addon: sourcetype o365:management:activity works all the time without problem. Has anyone similar problem? There is some limitation here? or Azure API is unstable? addon version 2.0.2,&nbsp;<SPAN>Audit Log Search is enabled.</SPAN></P> Sun, 05 Jul 2020 19:23:10 GMT pedro_77 2020-07-05T19:23:10Z https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/507417#M86348 <P>Hello,</P><P>I'm trying to use Splunk Add-on for Microsoft Office 365 to collect service status from O365 Via azure API. I have configuration that each 5 minutes i'm asking about service status and i have noticed that for a few days in rows it works but afterwards Splunk receive events for certain sourcetype only once per day at 2am. The problem is only with sourcetype: o365:service:status. Another sourcetype form the same addon: sourcetype o365:management:activity works all the time without problem. Has anyone similar problem? There is some limitation here? or Azure API is unstable? addon version 2.0.2,&nbsp;<SPAN>Audit Log Search is enabled.</SPAN></P> Sun, 05 Jul 2020 19:23:10 GMT https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/507417#M86348 pedro_77 2020-07-05T19:23:10Z https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/532503#M89518 <P>Hi Pedro,<BR /><BR />I was just having the same issue. And I also found an article on the Microsoft page telling, that those logs are always 24h delayed.&nbsp;<A href="https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference" target="_self">https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference</A>&nbsp;</P><P>&nbsp;</P><P>They also say there, we need to use the messages to get new updates during the day. So I modified the search on the "Microsoft 365 App for Splunk" App. They are using at the moment this search to display the latest status:</P><LI-CODE lang="markup">index=azure `o365_service_status` | stats latest(FeatureStatus{}.FeatureServiceStatusDisplayName) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status</LI-CODE><P>&nbsp;</P><P>If I update to this search, it works for me:</P><LI-CODE lang="markup">(index=azure (sourcetype="o365:service:status" OR (sourcetype="o365:service:message" FeatureDisplayName="*"))) | stats latest(Status) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status</LI-CODE><P>&nbsp;</P><P>As you can see I had to use the other sourcetype, plust another field in the stats.<BR /><BR />Hope that helps you too.<BR /><BR /></P> Wed, 09 Dec 2020 17:28:13 GMT https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/532503#M89518 loderlukas 2020-12-09T17:28:13Z https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/582434#M102620 <P>Are you getting impacted by this?&nbsp;<A href="https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference" target="_blank">https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-api-reference</A></P> Tue, 25 Jan 2022 19:47:04 GMT https://community.splunk.com/t5/Getting-Data-In/problem-with-service-status-via-Azure-API/m-p/582434#M102620 orca 2022-01-25T19:47:04Z