All Apps and Add-ons
Highlighted

Input settings about Microsoft Office 365 Reporting Add-on for Splunk

Path Finder

Hi all,

I want to import my Office 365 email logs into Splunk.
I have installed the Microsoft Office 365 Reporting Add-on for Splunk.

I made an input setting, but I don't understand the setting.

How to set if I want to import past data and continue to import future data?

For example, I wanted to import the data from April 1st.
so I set like this.

Name: test
Interval: 60
Index: test
Status: Active
Imput mode: Continuous_monitor
Query window size (min): 60
Delay Throttle (min): 5
Start date and time: 2020-04-01T00: 00:00

I think continuous_monitor is contiue every 60 minutes.
2020-04-01T00: 00:00
2020-04-01T01: 00:00
2020-04-01T02: 00:00 .........

Start date and time is start time that I want to import data, right?

If I miss, Could you please tell me.

Thank you for helping.

0 Karma
Highlighted

Re: Input settings about Microsoft Office 365 Reporting Add-on for Splunk

Splunk Employee
Splunk Employee

Based on the settings posted, here is what is going to happen:

  1. The first time the input runs, it will ask for data from 2020-04-01T00:00:00 (your start date) to 2020-04-01:01:00:00 (start date + your query window size of 60 minutes)
  2. During the run, the largest date/time stamp returned from the API will be saved as a checkpoint.
  3. 60 seconds later (your interval), the input will run again.
  4. The time frame for the query will be the checkpoint + 60 minutes (your query window size).
  5. Repeat starting at step 2.

The delay throttle comes into play for the end date of the query (checkpoint + query window size). The reason that delay parameter exists is to control how close to now the query can get. For example, let's say now is 2020-04-15T00:00:00. If the checkpoint was 2020-04-14T23:00:00, the end date/time would be 2020-04-15T00:00:00 (checkpoint + query window size). That end date is too close to now since it is less than 5 minutes (your delay throttle) from now. Therefore, the input would exit and run again 60 seconds (your interval) later. The input will not try to collect data until the end date/time (checkpoint + query window size) is within range based on your delay throttle.

The reason all that delay throttle stuff is important is MSFT may delay events up to 24 hours. If you query too soon, you may miss events. So, that delay throttle is a risk factor.

View solution in original post

0 Karma
Highlighted

Re: Input settings about Microsoft Office 365 Reporting Add-on for Splunk

Path Finder

I fully understood. thank you very much.
I have another question.
Can I change the time zone?
I think data is interacting with the UTC timezone, is it possible to change this in props.conf?

0 Karma
Highlighted

Re: Input settings about Microsoft Office 365 Reporting Add-on for Splunk

Path Finder

You can add in props.conf following entry:
[ms:o365:reporting:messagetrace]
TZ = Zulu

0 Karma