All Apps and Add-ons

Microsoft TA for o365 Audit SignIn logs missing


I have setup the Graph API input for AuditSignIn.Logs and logs are not consistent and missing in splunk randomly.

Getting this error in logs:

2021-07-22 15:21:56,991 level=ERROR pid=8208 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api | datainput=b'SignInLogs' start_time=1626991803 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/", line 235, in run return File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/", line 114, in run self._ingest(message, source) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/", line 124, in _ingest self._event_writer.write_event(, source=source) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/", line 161, in write_event self._write(data) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/", line 145, in _write self._dev.write(data) BrokenPipeError: [Errno 32] Broken pipe

Any help?

Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.