All Apps and Add-ons

Latency problems (1140mins) for sourcetype o365:service:status/ Python Code Error messages

layamba
Explorer

I am troubleshooting Latency issue for one sourcetype.
When I used this query index=_internal sourcetype=splunk:ta:o365:log level=ERROR

I see this error:

2019-09-05 14:28:42,350 level=ERROR pid=21332 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:67 | datainput="O365_prod_DLP" start_time=1567708121 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 65, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 100, in run
executor.run(adapter)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/batch.py", line 47, in run
for jobs in delegate.discover():
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 125, in discover
subscription.start(session)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 150, in start
response = self._perform(session, 'POST', '/subscriptions/start', params)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 159, in _perform
return self._request(session, method, url, kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 171, in _request
raise O365PortalError(response)
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}


Could this be the reason for the time differences?
Your help will be grateful

hkubavat_splunk
Splunk Employee
Splunk Employee

From the Error Code: AF10001 indicates that permission did not include the expected permission.
You need to enable below permissions to Delegated permission as well as Applications Permission in your azure cloud.
1. ActivityFeed.Read
2. ServiceHealth.Read
3. ActivityFeed.ReadDlp (Optional)
So can you please try to provide access?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!