All Apps and Add-ons

How can I make a copy of the App and replace microsoft_trace_url to use MailDetailMalware API?

dpanych
Communicator

Currently I'm using the App and it's pulling Message Trace event successfully. I want to make a second copy of the App and replace microsoft_trace_url to use ** https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware? ** and would also like to change the Sourcetype to ** ms:o365:reporting:maildetailmalware**. The MailDetailMalware API works the same as MessageTrace API, so no other changes need to be made to the script. I tried making a copy of the App, renaming any content/scripts/variables/filenames that mention message_trace or messagetrace to a different variant, and it still did not work. This is my first time modifying a Splunk App that was built with the Add-on Builder, so I'm not 100% sure all that needs to be modified. I know the URL is modified in input_module_ms_o365_message_trace.py, but I'm not sure about the Sourcetype. Like I said, I've tried renaming the App and its content so that I can run the two apps side by side, but was not successful. It seemed to error because of duplicate (maybe?) app IDs.

@jconger - Any advice?

0 Karma

jconger
Splunk Employee
Splunk Employee

The easiest way to do this is to create a new add-on using the Add-on Builder. This way, your changes will not get wiped out when new versions of the existing add-on get released. Here are the steps at a high level:

  1. Download and install the Splunk Add-on Builder
  2. Create a new add-on
  3. Create an input for your add-on. Specify that the input will use your own Python code.
  4. Specify parameters for your input (use the same ones as the O365 reporting add-on if you like)
  5. Copy the contents of the input_module_ms_o365_message_trace.py and paste them into the code window in the add-on builder.
  6. Make any changes necessary.
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...