All Apps and Add-ons

Microsoft Office 365 Reporting Add-on for Splunk: Why is it returning "500 Server Error: Internal Server Error for url"?


O365 message trace logs suddenly stopped logging.

We are seeing following error in Splunkd.log

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/" HTTP Request error: 500 Server Error: Internal Server Error for url:

We had that verified credentials are valid.

Please suggest how to fix this.

Labels (1)

Path Finder

I opened a case with microsoft for this error - the issue for me was that the docs (both on splunkbase and in the Microsoft docs article referenced by Splunkbase) say that the Message Trace API can gather data up to 30 days prior. This is incorrect. The correct documentation can be found here, which shows that only a max of 10 days prior is allowed:

Switching the start_date from 30 days to 9 or 10 days prior ended up working for me!

0 Karma


This thread has a working solution:

@poisar opened a case with MS and adding a \ before the $filter in the script solved the problem for me

0 Karma

0 Karma


Hi @parikshithreddy ,

If your credential are correct than most probably, it is not able to connect to MS Office365 portal due to proxy or firewall settings.
You may be able to access the portal via web browser, but api callls from terminals are blocked due to your network proxy or firewall settings.

If it is not the case, please share some logs.

Accept & up-vote the answer if it helps.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...