- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Microsoft Office 365 Reporting Add-on for Splunk: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400
I have the Office 365 Reporting Add-on for Splunk installed and configured. When the URL is sent by the app to get the data, I am getting an HTTP Request Error 400. The actual line in the log file is below:
HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'
Any idea what the issue could be? I did try the URL above outside the app using my credentials for O365 and I get the same 400 HTTP error. Any assistance would be great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was also having this issue trying to get Audit.General logs. It turns out there is a python script packaged with the app that sets a time-delta threshold. I fixed this by lowering the threshold from the default 7 days (packaged with the app) to match our environment (which happens to be six days).
The script is:
bin/splunk_ta_o365/modinputs/management_activity.py.
The line I had to change was:
last_updated_time = datetime.utcfromtimestamp(now) - timedelta(days=7)
Not the ideal solution, but it seems to work. I hope the next version of the app makes this a configurable parameter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error occurs if you specify a collection starting date > 7 days in the past. Some references:
https://msdn.microsoft.com/en-us/office-365/troubleshooting-the-office-365-management-activity-api
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a limit to how far back you can go. The max is 7 days in the past. This is a Microsoft API limit unfortunately. However, you can run a message trace in the Office 365 admin center father back than 7 days. You can export this data to CSV and import to Splunk if necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, for me getting an error on 401 Client Error for Unauthorized URL.
2017-11-12 09:01:37,305 ERROR pid=21224 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'
I tried the above URL from the web, but I cannot login inside.
Any details will be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that I only get this error if I fill in the optional Start Date/Time field. Is there a bug there, maybe? I need to go back and get data from June 2017 until today.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am wondering if there is a limit to how far back you can go to grab data as I verified the format of the URL is correct. Can anyone verify how far back you can grab trace data from O365?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
