All Apps and Add-ons

Microsoft Office 365 Reporting Add-on for Splunk: Is it possible to reset the start time without reinstalling the App?

bradp1234
Path Finder

I have experienced this issue twice. The app will crash and get behind and not be able to catch up. I think o365 api only keeps a certain time frame of logs and then after that they are not accessible. Once the installation is querying the logs that are inaccessible, the app never catches backup to when logs are present. In the past the only solution was to reinstall the app. But the start and end date must be located in a kvstore or lookup somewhere. Has anyone figured out how to update those values without reinstalling the app? I have tried the web interface, but once the app gets started it doesn't seem to respect the start date inputted into the web configuration. Any help is appreciated.

Using version 1.1.0 of the app
Splunk enterprise version: 6.6.7

1 Solution

jconger
Splunk Employee
Splunk Employee

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma

MuS
Legend

Hi bradp1234,

I had a similar issue where the input stopped unnoticed for mare than 2 weeks, and once it was restarted the events were no longer available from the MS API :facepalm:

It took me some time to troubleshoot the script/issue, but once I found who and where the checkpoint is accessed it was easy to manually check and update the checkpoint hidden deep inside this weird REST API / KV store construct.

You can use this command to see the checkpoint:

curl -k https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

And you can use this command to modify the checkpoint:

curl -k --header "Content-Type: application/json" --request POST --data '[ { "state" : "{\"max_date\": \"2018-11-20 18:56:17.772814\"}", "_user" : "nobody", "_key" : "O365_<input name here>_checkpoint"}] ' https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

Hope this helps should you have further issues ...

cheers, MuS

jconger
Splunk Employee
Splunk Employee

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

0 Karma

bradp1234
Path Finder

Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...