All Apps and Add-ons

Why is the O365 add-on failing to refresh access tokens?



I'm currently trying to migrate from the Microsoft Cloud Services add-on, and had everything working, but twice I've had the 365 add-on silently fail.

As an example, the below is the output of MailboxLogin | timechart count span=15m - the data just stops at 01:45 this morning.

MailboxLogin | timechart count span=15m

If I go to the 365 add-on settings page, disable all the inputs, and then re-enable all the inputs, it starts reingesting the data back to where it stopped.

I can see in the _internal log if I search for index=_internal sourcetype="splunk:ta:o365:log" | stats count by message, there's 1 message that looks like it might be bad:

2018-08-07 18:35:35,250 level=INFO pid=22835 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity | start_time=1533620714 datainput="xxx_Exchange" | message="Access token will expire soon."

This seems to line up with index=_internal sourcetype="splunk:ta:o365:log" datainput=xxx_Exchange | timechart count by message, where everything drops at the same time when the access token expired.

index=_internal sourcetype="splunk:ta:o365:log"  datainput=xxx_Exchange | timechart count by message

Is there a missing config somewhere to refresh the access token automatically?

Path Finder

We had this same issue (message="Access token will expire soon.") and getting the same flat-line because no data was coming in...

It was resolved when we replaced the certificate on our HF and in o365 (you need a o365 admin for that part).

We burned up way too much time trying to find the root cause ...Right or wrong answer, a new cert fixed the problem.



I am seeing a similar issue in my environment. Could you elaborate how you replaced the certificates ?

Thank you so much!

0 Karma


I'm having the same problem. Did you end up finding a solution to this issue?

0 Karma


Unfortunately no, it's actually gotten worse... now it just silently fails to ingest Exchange logs, so I've got an alert setup to email me (to restart the Splunk server) when there's no results for:

index=_internal sourcetype="splunk:ta:o365:log" source="/opt/splunk/var/log/splunk/splunk_ta_o365_management_activity_*_Exchange.log" message="Ingesting content success."

I've raised this to our account manager, but haven't heard back yet. I'm hopeful there'll be a 1.1 release sometime soon.

0 Karma