Solved: Splunk add-on for O365

mbagali_splunk · ‎12-28-2018

Splunk add-on for O365 stops ingesting data and a restart of splunk service makes it working again.

I see below errors in add-on audit logs:

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

ERROR ApplicationUpdater - Error checking for update, URL=https://apps.splunk.com/api/apps:resolve/checkforupgrade: Winsock error 10054

ConnectionError: ('Connection aborted.', error(10054, 'An existing connection was forcibly closed by the remote host'))

mbagali_splunk · ‎12-28-2018

For Winsock error , Increase maxThreads and maxSockets

In the [httpServer] stanza, set
[httpServer]
maxThreads=100000
maxSockets=50000

For error : O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

We get this error if Standard O365 subscription doesn't contain DLP feature.

View solution in original post

mbagali_splunk · ‎12-28-2018

For Winsock error , Increase maxThreads and maxSockets

In the [httpServer] stanza, set
[httpServer]
maxThreads=100000
maxSockets=50000

For error : O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

We get this error if Standard O365 subscription doesn't contain DLP feature.

Splunk add-on for O365

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation