My company is currently using splunk to grab all office365 logs. We are currently having issues with teams. I can see most data, When I go to teams call overview I'm unable too see any logs.
The sourcetype you are looking for comes from https://splunkbase.splunk.com/app/4994/
splunk addon for msteams
you can configure this using this article.
https://idp.login.splunk.com/app/splunk-ext_wwwaem_1/exk9jrrdivHzSWhlX2p7/sso/saml
hope this helps..
I recently started the msteams integration with splunk. call records data came in for a day then it stopped. but i think it has something to do with subscription. As when i checked the subscription logs it was giving an error 404 page not found. seems like an issue on MS end but still trying to figure it out.
Hi,
The same thing happened to me. Did you find the solution? Delete/reenter the subscription input solves it, but this is not a long-term solution. If the call record feed stops the events will be lost in space - No way to fetch "historical" events...
I will try though, I see that there is no sourcetype=m365:teams:callRecord. I figured there would be since this is the out of the box splunk addin for o365.
If you're not ingesting data of a particular sourcetype then dashboards which use that sourcetype will be empty. There are some ways to correct that: 1) onboard the expected data; 2) modify the dashboard to use the sourcetype you have; 3) change your onboarding to ingest the data as the expected sourcetype.
I believe the issue may lie in how the Add-on is either written or Microsoft changed something. On October 27th I stopped receiving the data that would populate that dashboard. Either through re-setting up the agent or creating a new Service account in Azure I have been unsuccessful in getting that data from Office 365.