All Apps and Add-ons

Problem ingesting logs after 2.0

wstarowicz
Path Finder

Hi, after upgrade to 2.0 version, logs from signins are not ingested (we're using only this input so far). Logs show following error:

2019-10-14 12:52:52,437 ERROR pid=5027 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 77, in collect_events
    sign_ins = azutils.get_items(helper, access_token, url)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
    raise e
HTTPError: 429 Client Error:  for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
0 Karma

wstarowicz
Path Finder

Hi, i didn't check this setting as it started to work during night...

0 Karma

jconger
Splunk Employee
Splunk Employee

HTTP code 429 indicates "too many requests" to the Microsoft API. Try setting the query limit parameter in the input to limit the number of requests on each run.

0 Karma

fed_kerr
New Member

I've got the same issue. did you fix it by setting the query limit parameter?

0 Karma