All Apps and Add-ons

Microsoft Office 365 Reporting Add-on for Splunk - Static start and end dates not updating with with continuous Input Mode

TX_Andy01
Explorer

I am continually getting a 404 Client error for bad request due to the start and end dates being past 7 days. The app works when I Index Once but as soon as I enable continuous monitor and add a day within 7 days from today I get the following error: ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%2...'

I have the following settings for the app: Interval=180 Query Window size= 30 Delay throttle=32 and Start date/time= 2019-05-10T09:00:00.

I checked the local directory as well to verify these setting are in the input.conf file.

Why does the error show a date of 2018? Is there another place I should check for the start/end date?

Thanks!

1 Solution

TX_Andy01
Explorer

We had to create another Input to resolve the issue. However, using the clone feature migrated the issue over to the cloned input as well so while the new input contains the same information it had to be built manually.

View solution in original post

0 Karma

TX_Andy01
Explorer

We had to create another Input to resolve the issue. However, using the clone feature migrated the issue over to the cloned input as well so while the new input contains the same information it had to be built manually.

View solution in original post

0 Karma

jcleary47
Path Finder

Have you found a solution to this? We are having major issues with our inputs randomly stopping as well. I'm seeing a lot of 400 Client Errors.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!