All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to view data in our production environment in Microsoft Cloud App for Splunk?

gumbicus
Engager
‎05-23-2018 08:28 PM

Hi, we are currently unable to view data in our production environment with this add-on. We have checked config and we are receiving data from Office365 but the add-on does not display anything.

When I modify the query to the one listed below, I am able to retrieve data. I took a look at the dataset and it appears to be querying the index mscloud, can you please help?

sourcetype=ms:o365:management OR sourcetype=ms:o365:reporting:messagetrace OR sourcetype=mscs:azure:audit index=mscloud | stats count by sourcetype | rename sourcetype AS Sourcetype data_description AS "Description" data_source AS "Data On-boarding Guide" app_source AS "App Source" count AS "Event Count" dashboards AS Dashboards | fields Sourcetype Description Dashboards "App Source" "Data On-boarding Guide" "Event Count"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rlait_splunk
Splunk Employee
Splunk Employee
‎05-24-2018 01:22 AM

If your data is coming into the index "mscloud" and your management inputs are coming in via the Splunk Add-on for Microsoft Cloud Services, Then you should see data using: index=mscloud sourcetype=ms:o365:management

The Microsoft Cloud App for Splunk doesn't specify an index in any of the panels, perhaps it might be a case of specifying the indexes searched by default as part of the role you're running the search with?

https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html

View solution in original post

Reply
Solved! Jump to solution

gumbicus
Engager
‎05-24-2018 04:20 PM

Thanks, I added the index to the default search for 'user' role, we will adjust its scope later but that did the trick 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

rlait_splunk
Splunk Employee
Splunk Employee
‎05-24-2018 01:22 AM

If your data is coming into the index "mscloud" and your management inputs are coming in via the Splunk Add-on for Microsoft Cloud Services, Then you should see data using: index=mscloud sourcetype=ms:o365:management

The Microsoft Cloud App for Splunk doesn't specify an index in any of the panels, perhaps it might be a case of specifying the indexes searched by default as part of the role you're running the search with?

https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top