Splunk TA O365 error loop- How to ask splunk to no...

marcoRAD · ‎12-16-2022

Hello,

i'm experiencing an issue with the splunk TA for O365 and in particular with the Sharepoint Management Activity Logs.

The issue is this:

1) 10:00 AM i activate the input

2) 10:01 AM Splunk starts to collect 10:00 AM events

3) 10:05 AM Splunk continues to collect Sharepoint logs but going behind in time! (9:59 AM, 9:58 AM and so on)

4) 11:00 AM Splunk is still collecting logs in the past but the temporary token expires and the input is closed and reopened

5) 11:00 AM Splunk reopen the input

6) 11:01 AM Splunk starts to collect 11:00 AM events

7) JUMP to step 3 but 1 hour later

May you know how to not ask splunk to go behind and starts to collect in time?

Regards

Marco

VatsalJagani · ‎12-16-2022

@marcoRAD - On Office 365 App Inputs used to have that option but no longer present in the latest App that I can see.

You can create a Splunk support case to get resolution from the developer of the Add-on.

Please consider upvoting/accepting the answer it this helps!!!

Splunk TA O365 error loop- How to ask splunk to not go behind and start to collect in time?