All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Office 365 Reporting Web Service 2.0.0 404 ERROR- How to resolve?

Lia
Engager
‎08-16-2022 04:09 AM

We've upgrade this add-on to version 2.2.0 and Using Modern Authentication (OAuth), when configured in HF, the internal log shows 404 error as below:

127.0.0.1 - splunk-system-user [14/Aug/2022:20:08:03.558 -0700] "GET /servicesNS/nobody/TA-MS_O365_Reporting/storage/collections/data/TA_MS_O365_Reporting_checkpointer/MDSLAB_obj_checkpoint_oauth HTTP/1.1" 404 140 "-" "curl" - 1ms

Would anybody can know the cause of this error? Any solutions? Thanks.

Labels (3)
Tags (1)
Reply

jconger
Splunk Employee
Splunk Employee
‎09-09-2022 08:08 AM

That 404 error indicates a KV store issue.  Try cloning your input and then disabling or deleting the existing input.

0 Karma
Reply

kissmyuzi123
Engager
‎08-21-2022 11:15 PM

Having the same issue, keen to hear any solutions.

0 Karma
Reply

ljramv
Explorer
‎09-09-2022 03:44 AM

Hello, has anyone been able to configure the add-on with modern auth? Im getting this same error along with 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc

Followed all the steps, the MS official doc also suggest to add Security Reader role for the App Registration. Shouldn't in theory there be an option to specify the tenant along with client ID and secret? Maybe @jconger might know this one.

Thanks for anyone's reply.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-09-2022 08:15 AM

Setting up the permissions for this add-on is a 2 step process:

  1. For the Azure AD app registration, add the ReportingWebService.Read.All API permission.
    • This can be found by going to APIs my organization uses => Office 365 Exchange Online.  See the attached screenshot
  2. The Azure AD app registration needs to be assigned a directory role.

message_trace_api_permissions.jpg

Reply

ljramv
Explorer
‎09-09-2022 08:26 AM

Thanks for your reply @jconger. I did try to recreate the input and restart splunkd on the forwarder. I've also given it the ReportingWebService.Read.All under Applications permissions as stated here https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/ as well as Exchange Administrator and Global Reader role.

Screenshot 2022-09-09 at 17.18.34.png

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-09-2022 08:41 AM

Was the API permission granted?

message_trace_api_granted.jpg

Also, was the role added at the directory level?

mesage_trace_roles.jpg

The input recreation suggestion was for the OP since they were getting a 404 on the KV store.

A question about the tenant was mentioned in the thread above.  The tenant is specified at the input level.  Are you setting up a "Microsoft Office 365 Message Trace (OAuth)" input?  That input requires the tenant ID; whereas, the "Microsoft Office 365 Message Trace (Basic Auth)" input does not.

Reply

ljramv
Explorer
‎09-12-2022 12:40 AM

Ah theres the problem then, thank you. I did not create a new input but rather copy existing one that was set up with basic auth. Makes more sense for the tenant field to be specified on the account along with the client and secret. Thanks anyway.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top