All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the O365 add-on failing to refresh access tokens?

jlaundry
Explorer
‎08-07-2018 03:55 PM

Hello,

I'm currently trying to migrate from the Microsoft Cloud Services add-on, and had everything working, but twice I've had the 365 add-on silently fail.

As an example, the below is the output of MailboxLogin | timechart count span=15m - the data just stops at 01:45 this morning.

MailboxLogin | timechart count span=15m

If I go to the 365 add-on settings page, disable all the inputs, and then re-enable all the inputs, it starts reingesting the data back to where it stopped.

I can see in the _internal log if I search for index=_internal sourcetype="splunk:ta:o365:log" | stats count by message, there's 1 message that looks like it might be bad:

2018-08-07 18:35:35,250 level=INFO pid=22835 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=management_activity.py:discover:124 | start_time=1533620714 datainput="xxx_Exchange" | message="Access token will expire soon."

This seems to line up with index=_internal sourcetype="splunk:ta:o365:log" datainput=xxx_Exchange | timechart count by message, where everything drops at the same time when the access token expired.

index=_internal sourcetype="splunk:ta:o365:log" datainput=xxx_Exchange | timechart count by message

Is there a missing config somewhere to refresh the access token automatically?

Preview file
1 KB
Preview file
1 KB
Reply

ehollima
Path Finder
‎10-18-2018 06:28 PM

We had this same issue (message="Access token will expire soon.") and getting the same flat-line because no data was coming in...

It was resolved when we replaced the certificate on our HF and in o365 (you need a o365 admin for that part).

We burned up way too much time trying to find the root cause ...Right or wrong answer, a new cert fixed the problem.

Reply

omuelle1
Communicator
‎07-25-2019 12:02 PM

Hi,

I am seeing a similar issue in my environment. Could you elaborate how you replaced the certificates ?

Thank you so much!

0 Karma
Reply

ericlavalley
Explorer
‎10-16-2018 06:58 AM

I'm having the same problem. Did you end up finding a solution to this issue?

0 Karma
Reply

jlaundry
Explorer
‎10-18-2018 02:06 PM

Unfortunately no, it's actually gotten worse... now it just silently fails to ingest Exchange logs, so I've got an alert setup to email me (to restart the Splunk server) when there's no results for:

index=_internal sourcetype="splunk:ta:o365:log" source="/opt/splunk/var/log/splunk/splunk_ta_o365_management_activity_*_Exchange.log" message="Ingesting content success."

I've raised this to our account manager, but haven't heard back yet. I'm hopeful there'll be a 1.1 release sometime soon.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...