All Apps and Add-ons

Microsoft TA for o365 Audit SignIn logs missing

orca
Explorer

I have setup the Graph API input for AuditSignIn.Logs and logs are not consistent and missing in splunk randomly.

Getting this error in logs:

2021-07-22 15:21:56,991 level=ERROR pid=8208 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'SignInLogs' start_time=1626991803 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 235, in run return consumer.run() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 114, in run self._ingest(message, source) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/graph_api.py", line 124, in _ingest self._event_writer.write_event(message.data, source=source) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/event_writer.py", line 161, in write_event self._write(data) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/event_writer.py", line 145, in _write self._dev.write(data) BrokenPipeError: [Errno 32] Broken pipe

Any help?

Labels (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!