All Apps and Add-ons

Microsoft Office 365 Reporting Add-on for Splunk: Is it possible to reset the start time without reinstalling the App?

bradp1234
Path Finder

I have experienced this issue twice. The app will crash and get behind and not be able to catch up. I think o365 api only keeps a certain time frame of logs and then after that they are not accessible. Once the installation is querying the logs that are inaccessible, the app never catches backup to when logs are present. In the past the only solution was to reinstall the app. But the start and end date must be located in a kvstore or lookup somewhere. Has anyone figured out how to update those values without reinstalling the app? I have tried the web interface, but once the app gets started it doesn't seem to respect the start date inputted into the web configuration. Any help is appreciated.

Using version 1.1.0 of the app
Splunk enterprise version: 6.6.7

1 Solution

jconger
Splunk Employee
Splunk Employee

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi bradp1234,

I had a similar issue where the input stopped unnoticed for mare than 2 weeks, and once it was restarted the events were no longer available from the MS API :facepalm:

It took me some time to troubleshoot the script/issue, but once I found who and where the checkpoint is accessed it was easy to manually check and update the checkpoint hidden deep inside this weird REST API / KV store construct.

You can use this command to see the checkpoint:

curl -k https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

And you can use this command to modify the checkpoint:

curl -k --header "Content-Type: application/json" --request POST --data '[ { "state" : "{\"max_date\": \"2018-11-20 18:56:17.772814\"}", "_user" : "nobody", "_key" : "O365_<input name here>_checkpoint"}] ' https://127.0.0.1:8089/servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Re... -u <username>

Hope this helps should you have further issues ...

cheers, MuS

jconger
Splunk Employee
Splunk Employee

The checkpoint is indeed stored in the KV store. You can delete your existing input and create a new input with a different name rather than uninstall/reinstall the add-on. The reason for the different name is the "key" used in the KV store is the input name.

View solution in original post

0 Karma

bradp1234
Path Finder

Thank you!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!