I have installed 0ffice 365 add-on on the local search head and Heavy Forwarder.
The Input tab in o365 addon is not showing the index I created on Splunk cloud.
I have also tried installing the o365 add-on on Splunk Cloud but the input tab in o365 displays a "Not Found" banner.
I have managed to get o365 logs into splunk (searchable on cloud and local SH) but I cant seem to get it to the right index (On the local search head I can only get the main index).
I'm fairly new to SPLUNK so any help would be appreciated.
My setup consists of a heavy forwarder, local search head, managed Splunk cloud and a deployment server.
Yes I did. Turns out you cannot use it on Splunk cloud, as the inputs.conf file cannot be edited if you are using managed splunk cloud services.
I was told to install this app on my heavy forwarder to get the inputs to work correctly.
Finally managed to get this working, Splunk provided an idm to run alongside Splunk Cloud. I would suggest issuing a support ticket and asking for access to an idm. I was running the app on a local search head but had issues with indexing.
Splunk Cloud IDM solves the problem!!
inputs under customized index (not main/default) you should create the new index on the IDM environment first, which will then be replicated to the other instances part of the cluster.