Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Microsoft O365 Email Add-on for Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Microsoft O365 Email Add-on for Splunk
Has anyone installed and configured Microsoft O365 Email Add-on for Splunk?
I have a few concerns such as using a transport rule to bcc every single message sent through our tenant to a single account. During the day that is about 100k messages an hour. It's a lot all going to one account. We will almost certainly brush up against the 1.4 million daily limit mentioned in the app's description.
Just curious to see how this add-on has worked for others and any issues they've had/seen.
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried to get this app working for a small tenant but have been unsuccessful. Im getting secret errors in the log files. Can anyone help?
2021-04-25 23:26:01,469 ERROR pid=5900 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\ta_microsoft_o365_email_add_on_for_splunk\aob_py3\modinput_wrapper\base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\o365_email.py", line 132, in collect_events
input_module.collect_events(self, ew)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 185, in collect_events
access_token = _get_access_token(helper)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 64, in _get_access_token
CURRENT_TOKEN = access_token[ACCESS_TOKEN]
KeyError: 'access_token'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been messing around with this app for a few days and just got it working after seeing the same errors as you.
You'll want to make sure your API permissions are set correctly and admin consent is granted in Azure then double check your configuration and input settings in the app.
When adding the account under configuration in the app make sure you're using the Application (Client) ID found in the Overview section in Azure rather than the Client Secrets ID, this ended up being my issue.
Also check that your traffic isn't getting blocked somewhere in your network. I found another thread where someone mentioned that was their issue. I can't find it again but they said something about their firewall not liking the endpoint input option set to worldwide and they were able to get it to work by setting that to USGovGCCHigh so that may be worth trying.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
