All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ingesting logs from Microsoft Teams

Steven33
Engager
‎01-09-2024 05:36 PM

Hi All,
I recently installed/configured the "Microsoft Teams Add-on for splunk" to ingest call logs and meeting info from Microsoft Teams. I have run into an isuue I was hoping someone could help with me.


[What I would like to do]
Ingesting call logs and meeting info from Microsoft Teams via "Microsoft Teams Add-on for splunk".


[What I did]
I have followed the instructions and configured the "Subscription", "User Reports", "Call Reports" and "Webhook".
Instructions:https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-microsoft-teams-data.html


[issue]"User Reports" and "Webhooks" has worked, but "Subscription" and " Call reports" has not worked. As a results, Teams logs are not ingested. I have granted all of the required permissions in Teams/Azure based on the instructions.


[error logs]
I checked the internal logs and detected many error logs, but reading the errors did not reveal a clear cause.
Among the logged problems indicated were the following:
From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/TA_MS_Teams_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA_MS_Teams#configs/conf-ta_ms_teams_settings, user=proxy.
message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions
message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA_MS_Teams/bin/teams_subscription.py" requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/subscriptions


[environment]
Add-On Version: 1.1.3
Splunk Enterprise Verison: 9.1.2
Add-On is installed on a Splunk Enterprise.
Is the error in the error log due to the call log and subscriptions not working properly? Or does the webhook URL have to be https to work properly?
If anyone knows the reason, let me know.
Any help would be greatly appreciated.
Thanks,

Labels (3)
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎01-22-2024 02:16 PM

The "Bad request for url..." verbiage typically points to an invalid webhook address.  Make sure the URL of the webhook is publically accessible, is addressable with HTTPS, and doesn't contain any private certificates in the chain.  This Lantern article (with a video walkthrough) may be helpful => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_the_Microsoft_Teams_Add-o...

 

As, an alternative, you can use Azure Functions to get the same call record data.  This way, you don't have to have the webhook on your forwarder.  Instead, all the plumbing happens in Azure and the data is pushed to Splunk via HEC.  Here is a Lantern article on that => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_reco...

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...