All Apps and Add-ons
Highlighted

Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

SplunkTrust
SplunkTrust

I have the Office 365 Reporting Add-on for Splunk installed and configured. When the URL is sent by the app to get the data, I am getting an HTTP Request Error 400. The actual line in the log file is below:

HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'

Any idea what the issue could be? I did try the URL above outside the app using my credentials for O365 and I get the same 400 HTTP error. Any assistance would be great.

Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

SplunkTrust
SplunkTrust

It appears that I only get this error if I fill in the optional Start Date/Time field. Is there a bug there, maybe? I need to go back and get data from June 2017 until today.

0 Karma
Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

SplunkTrust
SplunkTrust

I am wondering if there is a limit to how far back you can go to grab data as I verified the format of the URL is correct. Can anyone verify how far back you can grab trace data from O365?

0 Karma
Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

Hi, for me getting an error on 401 Client Error for Unauthorized URL.

2017-11-12 09:01:37,305 ERROR pid=21224 tid=MainThread file=basemodinput.py:logerror:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'

I tried the above URL from the web, but I cannot login inside.

Any details will be helpful.

0 Karma
Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

Splunk Employee
Splunk Employee

There is a limit to how far back you can go. The max is 7 days in the past. This is a Microsoft API limit unfortunately. However, you can run a message trace in the Office 365 admin center father back than 7 days. You can export this data to CSV and import to Splunk if necessary.

Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

New Member

This error occurs if you specify a collection starting date > 7 days in the past. Some references:

https://msdn.microsoft.com/en-us/office-365/troubleshooting-the-office-365-management-activity-api

0 Karma
Highlighted

Re: Microsoft Office 365 Reporting Add-on for Splunk: HTTP Request Error 400

Builder

I was also having this issue trying to get Audit.General logs. It turns out there is a python script packaged with the app that sets a time-delta threshold. I fixed this by lowering the threshold from the default 7 days (packaged with the app) to match our environment (which happens to be six days).

The script is:
bin/splunktao365/modinputs/management_activity.py.

The line I had to change was:
lastupdatedtime = datetime.utcfromtimestamp(now) - timedelta(days=7)

Not the ideal solution, but it seems to work. I hope the next version of the app makes this a configurable parameter.

0 Karma