All Apps and Add-ons

CurrentStatus Logs from Service Communications API in Office 365 Addon & CloudServices Addon - Log Delay

adityapavan18
Contributor

The logs ingested from endpoint "https://manage.office.com/api/v1.0/tenantid/ServiceComms/CurrentStatus" in splunk via Splunk Addon from Cloud Services & Splunk Addon for Microsoft Office 365 both are a day old.

Logs for CurrentStatus endpoint show events which have a 24 hour old timestamp. Is this a bug in the add-on? or does Microsoft Current Status Logs from API can only give you details for 24hours old data.

Indextime shows current datettime - 2018-12-11 12:45:19.207
But the actual _time on the event shows 2018-12-11 12:45:19.207

Is this a splunk bug?

0 Karma

melvinfuglem
New Member

This is not a splunk bug. The CurrentStatus response will contain the status and any incidents within the previous 24 hours. The StatusDate or StatusTime value returned will be exactly 24 hours in the past. So Current Status is acctually yesterdays Status.

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-...

0 Karma

brittainybarnes
Engager

It's actually a feature built-in to O365. There are certain audits that are generated within 30 minutes, and others that take 24 hours.
See here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

0 Karma

laurennt
New Member

This does not really answer the OPs question as CurrentStatus is not a function of auditing users. It is the status of the service we are having the same issue and trying to determine why it is 24 hours behind when Epoch time it is requesting is current

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!