All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Office 365 Reporting Add-on for Splunk: Is it possible to reset the start time without reinstalling the App?

bradp1234
Path Finder
‎11-13-2018 10:22 AM

I have experienced this issue twice. The app will crash and get behind and not be able to catch up. I think o365 api only keeps a certain time frame of logs and then after that they are not accessible. Once the installation is querying the logs that are inaccessible, the app never catches backup to when logs are present. In the past the only solution was to reinstall the app. But the start and end date must be located in a kvstore or lookup somewhere. Has anyone figured out how to update those values without reinstalling the app? I have tried the web interface, but once the app gets started it doesn't seem to respect the start date inputted into the web configuration. Any help is appreciated.

Using version 1.1.0 of the app
Splunk enterprise version: 6.6.7

Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-04-2019 11:55 AM

Hi bradp1234,

I had a similar issue where the input stopped unnoticed for mare than 2 weeks, and once it was restarted the events were no longer available from the MS API :facepalm:

It took me some time to troubleshoot the script/issue, but once I found who and where the checkpoint is accessed it was easy to manually check and update the checkpoint hidden deep inside this weird REST API / KV store construct.

You can use this command to see the checkpoint:

curl -k https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

And you can use this command to modify the checkpoint:

curl -k --header "Content-Type: application/json" --request POST --data '[ { "state" : "{\"max_date\": \"2018-11-20 18:56:17.772814\"}", "_user" : "nobody", "_key" : "O365_<input name here>_checkpoint"}] ' https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

Hope this helps should you have further issues ...

cheers, MuS

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

0 Karma
Reply
Solved! Jump to solution

bradp1234
Path Finder
‎12-07-2018 12:39 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...