I am troubleshooting Latency issue for one sourcetype.
When I used this query index=_internal sourcetype=splunk:ta:o365:log level=ERROR
2019-09-05 14:28:42,350 level=ERROR pid=21332 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:67 | datainput="O365_prod_DLP" start_time=1567708121 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 65, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 100, in run
executor.run(adapter)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/batch.py", line 47, in run
for jobs in delegate.discover():
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 125, in discover
subscription.start(session)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 150, in start
response = self._perform(session, 'POST', '/subscriptions/start', params)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 159, in _perform
return self._request(session, method, url, kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 171, in _request
raise O365PortalError(response)
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
Could this be the reason for the time differences?
Your help will be grateful
From the Error Code: AF10001 indicates that permission did not include the expected permission.
You need to enable below permissions to Delegated permission as well as Applications Permission in your azure cloud.
1. ActivityFeed.Read
2. ServiceHealth.Read
3. ActivityFeed.ReadDlp (Optional)
So can you please try to provide access?