All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Office 365 Reporting Add-on for Splunk: Is it possible to reset the start time without reinstalling the App?

bradp1234
Path Finder
‎11-13-2018 10:22 AM

I have experienced this issue twice. The app will crash and get behind and not be able to catch up. I think o365 api only keeps a certain time frame of logs and then after that they are not accessible. Once the installation is querying the logs that are inaccessible, the app never catches backup to when logs are present. In the past the only solution was to reinstall the app. But the start and end date must be located in a kvstore or lookup somewhere. Has anyone figured out how to update those values without reinstalling the app? I have tried the web interface, but once the app gets started it doesn't seem to respect the start date inputted into the web configuration. Any help is appreciated.

Using version 1.1.0 of the app
Splunk enterprise version: 6.6.7

Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎02-04-2019 11:55 AM

Hi bradp1234,

I had a similar issue where the input stopped unnoticed for mare than 2 weeks, and once it was restarted the events were no longer available from the MS API :facepalm:

It took me some time to troubleshoot the script/issue, but once I found who and where the checkpoint is accessed it was easy to manually check and update the checkpoint hidden deep inside this weird REST API / KV store construct.

You can use this command to see the checkpoint:

curl -k https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

And you can use this command to modify the checkpoint:

curl -k --header "Content-Type: application/json" --request POST --data '[ { "state" : "{\"max_date\": \"2018-11-20 18:56:17.772814\"}", "_user" : "nobody", "_key" : "O365_<input name here>_checkpoint"}] ' https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

Hope this helps should you have further issues ...

cheers, MuS

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎12-07-2018 12:21 PM

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

0 Karma
Reply
Solved! Jump to solution

bradp1234
Path Finder
‎12-07-2018 12:39 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...