I have the Office 365 Reporting Add-on for Splunk installed and configured. When the URL is sent by the app to get the data, I am getting an HTTP Request Error 400. The actual line in the log file is below:
HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'
Any idea what the issue could be? I did try the URL above outside the app using my credentials for O365 and I get the same 400 HTTP error. Any assistance would be great.
It appears that I only get this error if I fill in the optional Start Date/Time field. Is there a bug there, maybe? I need to go back and get data from June 2017 until today.
I am wondering if there is a limit to how far back you can go to grab data as I verified the format of the URL is correct. Can anyone verify how far back you can grab trace data from O365?
Hi, for me getting an error on 401 Client Error for Unauthorized URL.
2017-11-12 09:01:37,305 ERROR pid=21224 tid=MainThread file=basemodinput.py:logerror:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...'
I tried the above URL from the web, but I cannot login inside.
Any details will be helpful.
There is a limit to how far back you can go. The max is 7 days in the past. This is a Microsoft API limit unfortunately. However, you can run a message trace in the Office 365 admin center father back than 7 days. You can export this data to CSV and import to Splunk if necessary.
I was also having this issue trying to get Audit.General logs. It turns out there is a python script packaged with the app that sets a time-delta threshold. I fixed this by lowering the threshold from the default 7 days (packaged with the app) to match our environment (which happens to be six days).
The script is:
The line I had to change was:
lastupdatedtime = datetime.utcfromtimestamp(now) - timedelta(days=7)
Not the ideal solution, but it seems to work. I hope the next version of the app makes this a configurable parameter.