All Apps and Add-ons

After the Microsoft Office 365 App for Splunk was successfully installed, why are the dashboards not populating?

Explorer

Hi,

I installed the add-on for Microsoft Office 365 and then installed the app for Microsoft Office 365 for the dashboards. The installation went fine, but the dashboards are not populating. When I open the searches, it looks like it's using data models or something.

Does anyone know anything about this? Below is a search from a dashboard panel with no results.

o365_sourcetypes` Workload=AzureActiveDirectory | timechart dc(user)
1 Solution

Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

View solution in original post

Communicator

The latest version 3.0 of this app, appears to have removed the usage of most of the defined macros. Now most of the dashboard queries only use sourcetype=something, with no index being specified (not a splunk best practice), which can also result in no data being populated. This forces a user to edit every dashboard (or underlying xml files) to properly define every index (or use their own custom macro for it).

Sure would be great if a future release used macros on all the dashboards again.

View solution in original post

Splunk Employee
Splunk Employee

Hey Chris, thanks for the feedback. I've updated the searches to include a default index macro.
Edit the m365_default_index macro to include your M365 index.
v3.0.1 is now up on Splunkbase.

Cheers,
Ryan

0 Karma

Communicator

@rlait_splunk
Thanks for the fast fix and release!

0 Karma

Path Finder

getting permissions errors, the documentation is not quite clear, or current for o365, the o365 admins are stuck, I can see permission errors and they have no idea what to change...

0 Karma

Splunk Employee
Splunk Employee

the o365_sourcetypes macro is just an easy way of defining the sourcetypes from both the O365 add-on and the Microsoft Cloud Services add-on sourcetype. You can expand the macro inline by hitting Ctrl+Shift+E on your keyboard. (Command+Shift+E on mac).

Check that the Splunk role you're using is searching specific indexes by default. Best practise for building dashboard content is to exclude index definitions.

Worst case you could edit the macro and prefix the macro with index="YOUR O365 INDEX"

Hope that helps!

SplunkTrust
SplunkTrust

The unfortunate thing about Splunk apps is they're not magic. Sometimes they work right out of the box and sometimes they don't. It depends on your data.

Start by looking at the o365_sourcetypes macro. Does it reference a sourcetype that exists in your data? What about the index name?

Does your data have fields called 'Workload' and 'user'?

---
If this reply helps you, an upvote would be appreciated.
0 Karma