Reviewing the /opt/splunk/var/log/splunk/tamso365reportingmso365message_trace.log,
I see the following:
2018-04-02 10:32:15,061 ERROR pid=31792 tid=MainThread file=base_modinput.py:log_error:307 | HTTP Request error: 401 Client Error: Unauthorized for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$format=json&orderb...;
Any help would be appreciated
We experienced the exact same symptoms when we deployed this app. After some investigation together with our windows/AD guys we found that the O365-account we are using for this was setup for “multifactor authentication”.
After configuring the correct exceptions for this account everything is working perfectly.
I was also getting this error. Under the configuration section of the Reporting Add-on, I re-entered the username (SMTP address) and password and saved. Connection into Office365 was then good and the error ceased.
This add-on makes use of the Office 365 Reporting Web Service. It is pretty easy to test this web service outside of Splunk using cURL or Postman (my personal favorite as of this writing) because the web service uses Basic Auth - meaning you can enter your O365 username and password and send the request without having to obtain an OAuth access token.
Here is a screenshot of using Postman to test the web service:
Try copying/pasting the URL you get in the error message into cURL or Postman to get more information.