All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

scannon4
Communicator
‎10-22-2017 01:09 PM

I have the Office 365 Reporting Add-on for Splunk installed and configured. When the URL is sent by the app to get the data, I am getting an HTTP Request Error 400. The actual line in the log file is below:

HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'

Any idea what the issue could be? I did try the URL above outside the app using my credentials for O365 and I get the same 400 HTTP error. Any assistance would be great.

Reply

_smp_
Builder
‎03-05-2019 09:21 AM

I was also having this issue trying to get Audit.General logs. It turns out there is a python script packaged with the app that sets a time-delta threshold. I fixed this by lowering the threshold from the default 7 days (packaged with the app) to match our environment (which happens to be six days).

The script is:
bin/splunk_ta_o365/modinputs/management_activity.py.

The line I had to change was:
last_updated_time = datetime.utcfromtimestamp(now) - timedelta(days=7)

Not the ideal solution, but it seems to work. I hope the next version of the app makes this a configurable parameter.

0 Karma
Reply

atguilmette78
New Member
‎05-07-2018 12:58 PM

This error occurs if you specify a collection starting date > 7 days in the past. Some references:

https://msdn.microsoft.com/en-us/office-365/troubleshooting-the-office-365-management-activity-api

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎04-03-2018 08:28 AM

There is a limit to how far back you can go. The max is 7 days in the past. This is a Microsoft API limit unfortunately. However, you can run a message trace in the Office 365 admin center father back than 7 days. You can export this data to CSV and import to Splunk if necessary.

Reply

princemanto2580
Path Finder
‎11-13-2017 09:40 PM

Hi, for me getting an error on 401 Client Error for Unauthorized URL.

2017-11-12 09:01:37,305 ERROR pid=21224 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'

I tried the above URL from the web, but I cannot login inside.

Any details will be helpful.

0 Karma
Reply

scannon4
Communicator
‎10-22-2017 01:23 PM

It appears that I only get this error if I fill in the optional Start Date/Time field. Is there a bug there, maybe? I need to go back and get data from June 2017 until today.

0 Karma
Reply

scannon4
Communicator
‎10-22-2017 01:32 PM

I am wondering if there is a limit to how far back you can go to grab data as I verified the format of the URL is correct. Can anyone verify how far back you can grab trace data from O365?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...