All Apps and Add-ons

After the Microsoft Office 365 App for Splunk was successfully installed, why are the dashboards not populating?

clozach
Path Finder

Hi,

I installed the add-on for Microsoft Office 365 and then installed the app for Microsoft Office 365 for the dashboards. The installation went fine, but the dashboards are not populating. When I open the searches, it looks like it's using data models or something.

Does anyone know anything about this? Below is a search from a dashboard panel with no results.

o365_sourcetypes` Workload=AzureActiveDirectory | timechart dc(user)
1 Solution

ChrisBell04
Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

View solution in original post

ChrisBell04
Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

rlait_splunk
Splunk Employee
Splunk Employee

Hey Chris, thanks for the feedback. I've updated the searches to include a default index macro.
Edit the m365_default_index macro to include your M365 index.
v3.0.1 is now up on Splunkbase.

Cheers,
Ryan

0 Karma

ChrisBell04
Communicator

@rlait_splunk
Thanks for the fast fix and release!

0 Karma

ssattler
Path Finder

getting permissions errors, the documentation is not quite clear, or current for o365, the o365 admins are stuck, I can see permission errors and they have no idea what to change...

0 Karma

rlait_splunk
Splunk Employee
Splunk Employee

the o365_sourcetypes macro is just an easy way of defining the sourcetypes from both the O365 add-on and the Microsoft Cloud Services add-on sourcetype. You can expand the macro inline by hitting Ctrl+Shift+E on your keyboard. (Command+Shift+E on mac).

Check that the Splunk role you're using is searching specific indexes by default. Best practise for building dashboard content is to exclude index definitions.

Worst case you could edit the macro and prefix the macro with index="YOUR O365 INDEX"

Hope that helps!

richgalloway
SplunkTrust
SplunkTrust

The unfortunate thing about Splunk apps is they're not magic. Sometimes they work right out of the box and sometimes they don't. It depends on your data.

Start by looking at the o365_sourcetypes macro. Does it reference a sourcetype that exists in your data? What about the index name?

Does your data have fields called 'Workload' and 'user'?

---
If this reply helps you, Karma would be appreciated.
0 Karma

veeeeruuuu
Loves-to-Learn

Hi @richgalloway 
In splunk search head, I installed o365 app. But when I restart Splunk, the app is disappearing.

can u plz help...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This thread is five years old with an accepted answer.  So your problem has better chances of being seen by someone who can help, please post a new question with details about the problem, including what steps you take and what errors are seen.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...