Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get MESSAGE TRACE LOGS from Azure to Splunk

jacknguyen
Path Finder
‎07-08-2023 06:10 AM

Hi all, I have a big problem with my customer.

I try to get message trace logs from Azure for O365, following the Splunk doc, my account have all 3 roles:

Exchange Administrator 

Global Administrator 

Global Reader role

In my lab Splunk I try to trouble shoot by _internal and I have this. Any one know why and how to fix this?

jacknguyen_0-1688821562834.png

this is sample log:

 

 

 

2023-07-08 20:00:18,077 level=ERROR pid=10564 tid=MainThread logger=splunk_ta_o365.modinputs.message_trace pos=__init__.py:run:376 | datainput=b'messagetrace' start_time=1688821215 | message="An error occurred while collecting data" stack_info=True
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 371, in run
    self._collect_events(app)
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 145, in _collect_events
    self._get_events_continuous(app)
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 216, in _get_events_continuous
    self._process_messages(start_date, end_date)
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 283, in _process_messages
    message_response = self._get_messages(microsoft_trace_url)
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 270, in _get_messages
    raise e
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/message_trace/__init__.py", line 262, in _get_messages
    response.raise_for_status()
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error:  for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2023-07-03T12:54:27Z'%20and%20EndDate%20eq%20datetime'2023-07-03T13:54:27Z'

 

 

 

 

Labels (5)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...