All Apps and Add-ons

Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

rayar
Path Finder

I have the input working for long time 

after it stopped working I have reinstalled the Add-on 1.2.4

Now I am a lot of data I need to import 

how you would recommend to setup the input (delay_throttle , query_window_size ,interval ) ?

 

[splunk@ilissplfwd05 local]$ cat inputs.conf


[ms_o365_message_trace://o365tracking]
delay_throttle = 720
index = o365
input_mode = continuously_monitor
interval = 30
office_365_account = o365tracking
query_window_size = 30
start_date_time = 2021-01-21T00:00:01
disabled = 0
[splunk@ilissplfwd05 local]$

Labels (1)
0 Karma

becksyboy
Communicator

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti...

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

  1. Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
  2. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".

 

0 Karma

becksyboy
Communicator

You should be able to do an index once. Can't remember how far you can go back but you should be able to do 20-30 days worth? 

 

[ms_o365_message_trace://index_once]
delay_throttle = 1
index = ********
input_mode = index_once
interval = -1
office_365_password = ********
office_365_username = ********
query_window_size = 60
start_date_time = 2021-01-01T11:01:01
end_date_time = 2021-01-27T11:01:01

0 Karma

rayar
Path Finder

thanks a lot

I will create a separate input for "Index  Once"

What values you would recommend for "Continuously Monitor" ?

 

 

0 Karma

becksyboy
Communicator

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti...

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

  1. Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
  2. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!