All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Message Trace - Splunk Add-On for Microsoft Office 365

shaunm001
Path Finder
‎01-30-2025 10:10 AM

Hi, we've configured the "Message Trace" input type for Splunk Add-On for Microsoft Office 365 but don't seem to be receiving any data. Other input types (Mailbox, Management Activity, etc) are working. Not sure what the problem is, any suggestions on how to troubleshoot? 

I did notice a discrepancy when viewing the current configuration of the input versus the options available when editing the input (the same value is reported "in days" in one place and "in minutes" in another):

shaunm001_0-1738260370746.png

Could it be my delay throttle truly is set to 1440 days rather than minutes?

I believe I have all the API permissions set correctly, but let me know if this doesn't look right:

shaunm001_1-1738260495247.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Meett
Splunk Employee
Splunk Employee
‎02-05-2025 11:51 AM

@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put down support case to get more help.

View solution in original post

Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎02-03-2025 12:12 PM

Hello @shaunm001 ,

Can you please check internal log specific to this input ? is there any ERROR logs present? 

0 Karma
Reply
Solved! Jump to solution

shaunm001
Path Finder
‎02-04-2025 07:07 AM

Hello, I'm not exactly sure where to check the logs for this Add-On. Am I looking in Splunk or am I looking on the Azure side?

0 Karma
Reply
Solved! Jump to solution

Meett
Splunk Employee
Splunk Employee
‎02-04-2025 12:10 PM

Hello @shaunm001 ,

You should first check internal logs in Splunk using Query such as,

index="_internal" *O365* *ERROR*

Based on ERROR logs we can troubleshoot this further.

0 Karma
Reply
Solved! Jump to solution

shaunm001
Path Finder
‎02-04-2025 12:44 PM

There are no "ERROR" messages associated with the message trace input, but there are numerous "INFO" messages that seem to indicate data is being successfully brought in:

shaunm001_0-1738701280459.png

I just dont see anything that looks like a message trace entry when searching the index that I've configured for these logs.  Unless it's these "Exchange" records that show operations like "Send"," MailItemsAccessed" etc, but I feel like those are coming from a different input (e.g., the "Mailbox Usage Detail" input):

shaunm001_2-1738701804344.png

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

Meett
Splunk Employee
Splunk Employee
‎02-05-2025 11:51 AM

@shaunm001 You can check the source-type along with index you are searching to it should’ve presence of MessageTrace, i can’t see much on your environment but if you still have confusion you can put down support case to get more help.

Reply
Solved! Jump to solution

shaunm001
Path Finder
‎02-06-2025 06:49 AM

Ah, I do see it now, thanks. I was assuming all data would be included in one of the "Workload" (e.g. "Exchange") or "app" data values, but the sourcetype "o365:reporting:messagetrace" does not have "Workload" or "app" data values and I was excluding the message trace events with search parameters like "Workload="*""

Appreciate the help! 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...