All Apps and Add-ons

500 and 401 errors on messagetrace app.

Esky73
Builder

any idea why we would get these 500 and 401 errors ?

29/06/2019
18:14:40.818    
06-29-2019 18:14:40.818 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 500 Server Error: Internal Server Error for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host =  HOSTNAME source =   /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
28/06/2019
11:58:24.288    
06-28-2019 11:58:24.288 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...;
host =  HOSTNAME source =   /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
0 Karma

amitm05
Builder

@Esky73
So these are bad and unauthorized requests from splunk O365 TA. There can be multiple reasons for these, but have you made sure for your Connection into Office365.
This add-on makes use of the Office 365 Reporting Web Service (https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984...). This should be easy to test this web service outside of Splunk using cURL or Postman.

Let me know. Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...