All Apps and Add-ons

Why am I unable to view data in our production environment in Microsoft Cloud App for Splunk?

Engager

Hi, we are currently unable to view data in our production environment with this add-on. We have checked config and we are receiving data from Office365 but the add-on does not display anything.

When I modify the query to the one listed below, I am able to retrieve data. I took a look at the dataset and it appears to be querying the index mscloud, can you please help?

sourcetype=ms:o365:management OR sourcetype=ms:o365:reporting:messagetrace OR sourcetype=mscs:azure:audit index=mscloud | stats count by sourcetype | rename sourcetype AS Sourcetype data_description AS "Description" data_source AS "Data On-boarding Guide" app_source AS "App Source" count AS "Event Count" dashboards AS Dashboards | fields Sourcetype Description Dashboards "App Source" "Data On-boarding Guide" "Event Count"
0 Karma
1 Solution

Splunk Employee
Splunk Employee

If your data is coming into the index "mscloud" and your management inputs are coming in via the Splunk Add-on for Microsoft Cloud Services, Then you should see data using: index=mscloud sourcetype=ms:o365:management

The Microsoft Cloud App for Splunk doesn't specify an index in any of the panels, perhaps it might be a case of specifying the indexes searched by default as part of the role you're running the search with?

https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html

View solution in original post

Engager

Thanks, I added the index to the default search for 'user' role, we will adjust its scope later but that did the trick 🙂

0 Karma

Splunk Employee
Splunk Employee

If your data is coming into the index "mscloud" and your management inputs are coming in via the Splunk Add-on for Microsoft Cloud Services, Then you should see data using: index=mscloud sourcetype=ms:o365:management

The Microsoft Cloud App for Splunk doesn't specify an index in any of the panels, perhaps it might be a case of specifying the indexes searched by default as part of the role you're running the search with?

https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html

View solution in original post