I have installed 0ffice 365 add-on on the local search head and Heavy Forwarder.
The Input tab in o365 addon is not showing the index I created on Splunk cloud.
I have also tried installing the o365 add-on on Splunk Cloud but the input tab in o365 displays a "Not Found" banner.
I have managed to get o365 logs into splunk (searchable on cloud and local SH) but I cant seem to get it to the right index (On the local search head I can only get the main index).
I'm fairly new to SPLUNK so any help would be appreciated.
My setup consists of a heavy forwarder, local search head, managed Splunk cloud and a deployment server.
Hello, I am not sure if I can get any help as this topic is pretty old, but hopefully, someone is facing a similar issue and has an answer. I have installed the Splunk Add-on for Microsoft Office 365 version 3.0.0 on a Victoria Experience cloud instance, and I receive the same "Not Found" error on inputs. On this cloud instance, there is no need to configure an index through an IDM, nor install the app through a support ticket. I can see my index in the configuration of the inputs, but still, receive the same error. Has anyone been able to solve this? Thank you!
in Splunk Cloud, Inputs for this app are not allowed on the SH at this time. You will have to add the inputs via the IDM as @nathanluke86 stated.
I have the same issue, so I put in a ticket right now with splunk support. Let's see what they come back with.
Hi harrysof, have you heard anything back yet from Cloud Ops team? Same issue here.
Yes I did. Turns out you cannot use it on Splunk cloud, as the inputs.conf file cannot be edited if you are using managed splunk cloud services.
I was told to install this app on my heavy forwarder to get the inputs to work correctly.
Finally managed to get this working, Splunk provided an idm to run alongside Splunk Cloud. I would suggest issuing a support ticket and asking for access to an idm. I was running the app on a local search head but had issues with indexing.
Hi nathanluke86,
Splunk Cloud IDM solves the problem!!
**To create inputs
under customized index (not main/default) you should create the new index on the IDM environment first, which will then be replicated to the other instances part of the cluster.
The IDM is managed by splunk. I asked for the o365 app to be installed and specified to support which index I would like to use.