All Apps and Add-ons

Splunk Add-on for Microsoft Office 365: input tab displays not found banner on Splunk Cloud

Communicator

I have installed 0ffice 365 add-on on the local search head and Heavy Forwarder.
The Input tab in o365 addon is not showing the index I created on Splunk cloud.

I have also tried installing the o365 add-on on Splunk Cloud but the input tab in o365 displays a "Not Found" banner.

I have managed to get o365 logs into splunk (searchable on cloud and local SH) but I cant seem to get it to the right index (On the local search head I can only get the main index).

I'm fairly new to SPLUNK so any help would be appreciated.

My setup consists of a heavy forwarder, local search head, managed Splunk cloud and a deployment server.

Splunk Employee
Splunk Employee

in Splunk Cloud, Inputs for this app are not allowed on the SH at this time. You will have to add the inputs via the IDM as @nathanluke86  stated. 

0 Karma

Explorer

I have the same issue, so I put in a ticket right now with splunk support. Let's see what they come back with.

0 Karma

Hi harrysof, have you heard anything back yet from Cloud Ops team? Same issue here.

0 Karma

Explorer

Yes I did. Turns out you cannot use it on Splunk cloud, as the inputs.conf file cannot be edited if you are using managed splunk cloud services.

I was told to install this app on my heavy forwarder to get the inputs to work correctly.

0 Karma

Communicator

Finally managed to get this working, Splunk provided an idm to run alongside Splunk Cloud. I would suggest issuing a support ticket and asking for access to an idm. I was running the app on a local search head but had issues with indexing.

0 Karma

Hi nathanluke86,
Splunk Cloud IDM solves the problem!!
**To create inputs under customized index (not main/default) you should create the new index on the IDM environment first, which will then be replicated to the other instances part of the cluster.

Communicator

The IDM is managed by splunk. I asked for the o365 app to be installed and specified to support which index I would like to use.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!