All Apps and Add-ons

Microsoft O365 Email Add-on for Splunk

jwalzerpitt
Influencer

Has anyone installed and configured Microsoft O365 Email Add-on for Splunk?

I have a few concerns such as using a transport rule to bcc every single message sent through our tenant to a single account.  During the day that is about 100k messages an hour. It's a lot all going to one account. We will almost certainly brush up against the 1.4 million daily limit mentioned in the app's description.

Just curious to see how this add-on has worked for others and any issues they've had/seen.

Thx

Labels (1)
Tags (3)
0 Karma

robayers
Explorer

I've tried to  get this app working  for a  small tenant but have  been unsuccessful. Im getting secret errors in the log files.  Can anyone help?

 

2021-04-25 23:26:01,469 ERROR pid=5900 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\ta_microsoft_o365_email_add_on_for_splunk\aob_py3\modinput_wrapper\base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\o365_email.py", line 132, in collect_events
input_module.collect_events(self, ew)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 185, in collect_events
access_token = _get_access_token(helper)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 64, in _get_access_token
CURRENT_TOKEN = access_token[ACCESS_TOKEN]
KeyError: 'access_token'

0 Karma

patelaa
Explorer

@robayers 

I've been messing around with this app for a few days and just got it working after seeing the same errors as you.

You'll want to make sure your API permissions are set correctly and admin consent is granted in Azure then double check your configuration and input settings in the app.

When adding the account under configuration in the app make sure you're using the Application (Client) ID found in the Overview section in Azure rather than the Client Secrets ID, this ended up being my issue.

Also check that your traffic isn't getting blocked somewhere in your network. I found another thread where someone mentioned that was their issue. I can't find it again but they said something about their firewall not liking the endpoint input option set to worldwide and they were able to get it to work by setting that to USGovGCCHigh so that may be worth trying.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...