All Apps and Add-ons

Input settings about Microsoft Office 365 Reporting Add-on for Splunk

pipipipi
Path Finder

Hi all,

I want to import my Office 365 email logs into Splunk.
I have installed the Microsoft Office 365 Reporting Add-on for Splunk.

I made an input setting, but I don't understand the setting.

How to set if I want to import past data and continue to import future data?

For example, I wanted to import the data from April 1st.
so I set like this.

Name: test
Interval: 60
Index: test
Status: Active
Imput mode: Continuous_monitor
Query window size (min): 60
Delay Throttle (min): 5
Start date and time: 2020-04-01T00: 00:00

I think continuous_monitor is contiue every 60 minutes.
2020-04-01T00: 00:00
2020-04-01T01: 00:00
2020-04-01T02: 00:00 .........

Start date and time is start time that I want to import data, right?

If I miss, Could you please tell me.

Thank you for helping.

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Based on the settings posted, here is what is going to happen:

  1. The first time the input runs, it will ask for data from 2020-04-01T00:00:00 (your start date) to 2020-04-01:01:00:00 (start date + your query window size of 60 minutes)
  2. During the run, the largest date/time stamp returned from the API will be saved as a checkpoint.
  3. 60 seconds later (your interval), the input will run again.
  4. The time frame for the query will be the checkpoint + 60 minutes (your query window size).
  5. Repeat starting at step 2.

The delay throttle comes into play for the end date of the query (checkpoint + query window size). The reason that delay parameter exists is to control how close to now the query can get. For example, let's say now is 2020-04-15T00:00:00. If the checkpoint was 2020-04-14T23:00:00, the end date/time would be 2020-04-15T00:00:00 (checkpoint + query window size). That end date is too close to now since it is less than 5 minutes (your delay throttle) from now. Therefore, the input would exit and run again 60 seconds (your interval) later. The input will not try to collect data until the end date/time (checkpoint + query window size) is within range based on your delay throttle.

The reason all that delay throttle stuff is important is MSFT may delay events up to 24 hours. If you query too soon, you may miss events. So, that delay throttle is a risk factor.

View solution in original post

0 Karma

jconger
Splunk Employee
Splunk Employee

Based on the settings posted, here is what is going to happen:

  1. The first time the input runs, it will ask for data from 2020-04-01T00:00:00 (your start date) to 2020-04-01:01:00:00 (start date + your query window size of 60 minutes)
  2. During the run, the largest date/time stamp returned from the API will be saved as a checkpoint.
  3. 60 seconds later (your interval), the input will run again.
  4. The time frame for the query will be the checkpoint + 60 minutes (your query window size).
  5. Repeat starting at step 2.

The delay throttle comes into play for the end date of the query (checkpoint + query window size). The reason that delay parameter exists is to control how close to now the query can get. For example, let's say now is 2020-04-15T00:00:00. If the checkpoint was 2020-04-14T23:00:00, the end date/time would be 2020-04-15T00:00:00 (checkpoint + query window size). That end date is too close to now since it is less than 5 minutes (your delay throttle) from now. Therefore, the input would exit and run again 60 seconds (your interval) later. The input will not try to collect data until the end date/time (checkpoint + query window size) is within range based on your delay throttle.

The reason all that delay throttle stuff is important is MSFT may delay events up to 24 hours. If you query too soon, you may miss events. So, that delay throttle is a risk factor.

0 Karma

pipipipi
Path Finder

I fully understood. thank you very much.
I have another question.
Can I change the time zone?
I think data is interacting with the UTC timezone, is it possible to change this in props.conf?

0 Karma

wstarowicz
Path Finder

You can add in props.conf following entry:
[ms:o365:reporting:messagetrace]
TZ = Zulu

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...