Solved: Re: After the Microsoft Office 365 App for Splunk ...

clozach · ‎02-15-2019

Hi,

I installed the add-on for Microsoft Office 365 and then installed the app for Microsoft Office 365 for the dashboards. The installation went fine, but the dashboards are not populating. When I open the searches, it looks like it's using data models or something.

Does anyone know anything about this? Below is a search from a dashboard panel with no results.

o365_sourcetypes` Workload=AzureActiveDirectory | timechart dc(user)

ChrisBell04 · ‎12-30-2019

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

View solution in original post

ChrisBell04 · ‎12-30-2019

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

rlait_splunk · ‎12-30-2019

Hey Chris, thanks for the feedback. I've updated the searches to include a default index macro.
Edit the m365_default_index macro to include your M365 index.
v3.0.1 is now up on Splunkbase.

Cheers,
Ryan

ChrisBell04 · ‎12-31-2019

@rlait_splunk
Thanks for the fast fix and release!

ssattler · ‎10-14-2019

getting permissions errors, the documentation is not quite clear, or current for o365, the o365 admins are stuck, I can see permission errors and they have no idea what to change...

rlait_splunk · ‎02-17-2019

the o365_sourcetypes macro is just an easy way of defining the sourcetypes from both the O365 add-on and the Microsoft Cloud Services add-on sourcetype. You can expand the macro inline by hitting Ctrl+Shift+E on your keyboard. (Command+Shift+E on mac).

Check that the Splunk role you're using is searching specific indexes by default. Best practise for building dashboard content is to exclude index definitions.

Worst case you could edit the macro and prefix the macro with index="YOUR O365 INDEX"

Hope that helps!

richgalloway · ‎02-15-2019

The unfortunate thing about Splunk apps is they're not magic. Sometimes they work right out of the box and sometimes they don't. It depends on your data.

Start by looking at the o365_sourcetypes macro. Does it reference a sourcetype that exists in your data? What about the index name?

Does your data have fields called 'Workload' and 'user'?

---
If this reply helps you, Karma would be appreciated.

veeeeruuuu · ‎07-03-2024

Hi @richgalloway
In splunk search head, I installed o365 app. But when I restart Splunk, the app is disappearing.

can u plz help...

richgalloway · ‎07-03-2024

This thread is five years old with an accepted answer. So your problem has better chances of being seen by someone who can help, please post a new question with details about the problem, including what steps you take and what errors are seen.

---
If this reply helps you, Karma would be appreciated.

After the Microsoft Office 365 App for Splunk was successfully installed, why are the dashboards not populating?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...