We received our last event for O365 Message Logs on: 4/25/19 8:38:59.951 AM

Initially, I thought it would be fixed by updating the password for the O365 account we use for the logs, as it had expired and we were getting ERROR's in the _internal logs due to account being unauthorized.

Updating the password fixed that issue, but now I'm still not getting any new data in. I updated the start data/time when I updated the password to 2019-04-25T08:38:59 which is right around when the input stopped working due to expired password.

These are the input settings:
Interval: 300
Query Window Size: 300
Delay throttle: 5
Start date/time: 2019-04-25T08:38:59

This is what I'm seeing in _internal for ERROR messages:

04-30-2019 14:59:08.568 -0400 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ta_ms_o365_reporting/splunktaucclib/rest_handler/handler.py", line 118, in wrapper\n raise RestError(exc.status, exc.message)\nRestError: REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\n

Also seeing a bunch along these lines, referring to ms_o365_message_trace.py

04-30-2019 14:56:48.069 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS_O365_Reporting/bin/ms_o365_message_trace.py" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- 'Query Window Size' is required and should be at least 1 minute.\". See splunkd.log for more details."}]}

I just don't get it, because I also see some messages in _internal that makes it seem like something is working:

2019-04-30 15:07:57,357 level=INFO pid=107482 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:_ingest_content_blob:169 | start_time=1556651138 datainput="Exchange" | message="Ingesting content success." count=24 size=38905 content_id="20190430150510990154775$20190430150514044043997$audit_exchange$Audit_Exchange$na0012"