Splunk add-on for O365 stops ingesting data and a restart of splunk service makes it working again.
I see below errors in add-on audit logs:
O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
ERROR ApplicationUpdater - Error checking for update, URL=https://apps.splunk.com/api/apps:resolve/checkforupgrade: Winsock error 10054
ConnectionError: ('Connection aborted.', error(10054, 'An existing connection was forcibly closed by the remote host'))
For Winsock error , Increase maxThreads and maxSockets
In the [httpServer] stanza, set
[httpServer]
maxThreads=100000
maxSockets=50000
For error : O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
We get this error if Standard O365 subscription doesn't contain DLP feature.
For Winsock error , Increase maxThreads and maxSockets
In the [httpServer] stanza, set
[httpServer]
maxThreads=100000
maxSockets=50000
For error : O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
We get this error if Standard O365 subscription doesn't contain DLP feature.