Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Data stopped coming into Splunk for Splunk add...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data stopped coming into Splunk for Splunk add-on for Microsoft Cloud Services,
We are running Splunk Enterprise 7.0.1
On our Splunk Heavy forwarder we installed and configured "Splunk add-on for Microsoft Cloudservices "(current version 2.0.3)
We stopped receiving any data in Splunk for that add-on as of yesterday evening.
Troubleshooting page for that add-on looks ok. It shows "Certificate Status: Auto-generated and verified as valid"
There are few errors: & warnings in Splunk internal index (sample errors to follow).
Any advices on how to approach this issue and possibly fix it will be appreciated.
Here are patterns of errors and warnings :
1) ...File "/export/opt/splunk/lib/python2.7/ssl.py", line 653, in read v = self._sslobj.read(len) SSLError: ('The read operation timed out',)
source = $SPLUNK_HOME/var/log/splunk/splunk_ta_microsoft-cloudservices_management.log
2) File "/export/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/httplib2/__init__.py", line 1059, in connect raise SSLHandshakeError(e) SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
source = $SPLUNK_HOME/var/log/splunk/splunk_ta_microsoft-cloudservices_management.log
3) Pipeline data does not have indexKey. [_path] = /export/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/ms_o365_management.py\n[_raw] = \n[_meta] = punct::\n[_stmid] = xeoUyu7qLzDHQE\n[MetaData:Source] = source::ms_o365_management\n[MetaData:Host] = host::dc1nix2p69\n[MetaData:Sourcetype] = sourcetype::ms_o365_management\n[_done] = _done\n[_linebreaker] = _linebreaker\n[_conf] = source::ms_o365_management|host::dc1nix2p69|ms_o365_management|\n
sourcet:/export/opt/splunk/var/log/splunk/splunkd.log
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no it doesn't. when will this get fixed? we also notice it stops working when the access token expires every 60 minutes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:
2018-01-19 ADDON-15540 Not Receiving MSCS data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also noticing that data stops coming in when the access_token have expired. typically these has a lifetime of 60 minutes. The only way for data to resume is for a restart of the heavy forwarder.
There may be an issue with refreshing the tokens. It does not appear that this is happening successfully or properly.
Another observation is when the heavy forwarder has been turned off overnight as an AWS test instance, the morning start does not resume the data feed. a restart is required to resume the feed.
do i need to log a support ticket to this question?
thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
