All Apps and Add-ons

Query Window Size is required and should be at least 1 minute

cbastashutterfl
Explorer
[ms_o365_message_trace://Ouro365data]
delay_throttle = 1440
index = o365
input_mode = continuously_monitor
interval = 3600
office_365_password = THE_PASSWORD
office_365_username = Our_account@email.thing.stuff
query_window_size = 60
sourcetype = ms:o365:reporting:messagetrace

^That is our inputs.conf in local for the app. Was created via the GUI. However, after upgrade and having to switch to user/password, the app is now complaining about query window size.

HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.rest_handler.error.RestError'>\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\".  See splunkd.log for more details."}]}

That is from the var/log/splunk/ta_ms_o365_reporting_ms_o365_message_trace.log

06-26-2018 18:01:36.514 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n  File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n    hand.execute(info)\n  File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n    if self.requestedAction == ACTION_LIST:     self.handleList(confInfo)\n  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n    AdminExternalHandler.handleList(self, confInfo)\n  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n    for entity in result:\n  File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n    raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n

^Splunkd.log line

Has anyone else had this issue or have a fix. I've completely deleted the local folder (after backup) and then even re-installed the app fresh and created an input from scratch. Still not recognizing that query_window_size is set.

Please help

pmelon
Explorer

As per comment, this worked for me:

Edit /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py

Manually set query_window_size and delay_throttle like so:

def validate_input(helper, definition):
    input_mode = definition.parameters.get('input_mode')
    interval = definition.parameters.get('interval')
    query_window_size = 60
    delay_throttle = 1440
   # query_window_size = definition.parameters.get('query_window_size', None)
   # delay_throttle = definition.parameters.get('delay_throttle', None)
    start_date_time = definition.parameters.get('start_date_time', None)
    end_date_time = definition.parameters.get('end_date_time', None)
    start = None # Local instance of start date
    end = None # Local instance of end date
0 Karma

jconger
Splunk Employee
Splunk Employee

It's odd that you see this behavior after an uninstall/reinstall. Make sure the query_window_size isn't overridden somewhere by using btool from the command line:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug | grep "query_window_size"
0 Karma

pmelon
Explorer

I'm having the same problem. The btool command suggests only one source for the query_window_size setting. I'm not sure what changed when, but it was working fine before. I've not changed anything that I know of.

The end result is that this app no longer works and I was finding it very useful. Is there a fix? Anything I can try?

0 Karma

pmelon
Explorer

I manually editing the values in /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/input_module_ms_o365_message_trace.py

To this:

def validate_input(helper, definition):
input_mode = definition.parameters.get('input_mode')
interval = definition.parameters.get('interval')
query_window_size = 60
delay_throttle = 1440
# query_window_size = definition.parameters.get('query_window_size', None)
# delay_throttle = definition.parameters.get('delay_throttle', None)
start_date_time = definition.parameters.get('start_date_time', None)
end_date_time = definition.parameters.get('end_date_time', None)
start = None # Local instance of start date
end = None # Local instance of end date

it seems to be working again.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!