All Apps and Add-ons

Latency problems (1140mins) for sourcetype o365:service:status/ Python Code Error messages

layamba
Explorer

I am troubleshooting Latency issue for one sourcetype.
When I used this query index=_internal sourcetype=splunk:ta:o365:log level=ERROR

I see this error:

2019-09-05 14:28:42,350 level=ERROR pid=21332 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:67 | datainput="O365_prod_DLP" start_time=1567708121 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 65, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 100, in run
executor.run(adapter)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/batch.py", line 47, in run
for jobs in delegate.discover():
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 125, in discover
subscription.start(session)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 150, in start
response = self._perform(session, 'POST', '/subscriptions/start', params)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 159, in _perform
return self._request(session, method, url, kwargs)
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 171, in _request
raise O365PortalError(response)
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}


Could this be the reason for the time differences?
Your help will be grateful

hkubavat_splunk
Splunk Employee
Splunk Employee

From the Error Code: AF10001 indicates that permission did not include the expected permission.
You need to enable below permissions to Delegated permission as well as Applications Permission in your azure cloud.
1. ActivityFeed.Read
2. ServiceHealth.Read
3. ActivityFeed.ReadDlp (Optional)
So can you please try to provide access?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!