Re: Why is my Splunk not Ingesting Emails?

dfrench151 · ‎10-13-2022

Hello,

My Splunk is no longer ingesting emails from our O365 email account anymore. I was not the person to set this up and need assistance in troubleshooting. Can anyone provide assistance/guidance.

There is also an error that is showing in regards to the KvStore "KV Store process terminated abnormally (exit code 14, status exited with code 14).", which I'm not sure is related or not. We have a search head cluster setup with 2 indexers that are not clustered.

Vardhan · ‎10-14-2022

Hi,

To resolve the issue find the HF in your environment then

Go to the Splunk Web home screen.
Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
Click on the Input tab.

And there will be a enable and disable option . First disable the inputs and enable it back again.

There is nothing to do with the https://splunkbase.splunk.com/app/1739 Splunk app. The log collection will be happen with the help of addon.

Vardhan · ‎10-13-2022

If you are collecting logs from O365 app. Then try disable the inputs and enable it back again in HF.

dfrench151 · ‎10-14-2022

How exactly would I do that?... Would I just rename it to something else, then restart Splunk service?

Would it be the inputs.conf file located at this location? S:\Program Files\Splunk\etc\apps\splunk_ta_o365\local

Also, I have a suspicion we could have been using this application as well

https://splunkbase.splunk.com/app/1739 (IMAP Mailbox)

Why is my Splunk not Ingesting Emails?

email

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life