Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problem with service status via Azure API

pedro_77
New Member
‎07-05-2020 12:23 PM

Hello,

I'm trying to use Splunk Add-on for Microsoft Office 365 to collect service status from O365 Via azure API. I have configuration that each 5 minutes i'm asking about service status and i have noticed that for a few days in rows it works but afterwards Splunk receive events for certain sourcetype only once per day at 2am. The problem is only with sourcetype: o365:service:status. Another sourcetype form the same addon: sourcetype o365:management:activity works all the time without problem. Has anyone similar problem? There is some limitation here? or Azure API is unstable? addon version 2.0.2, Audit Log Search is enabled.

0 Karma
Reply

loderlukas
New Member
‎12-09-2020 09:28 AM

Hi Pedro,

I was just having the same issue. And I also found an article on the Microsoft page telling, that those logs are always 24h delayed. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-... 

 

They also say there, we need to use the messages to get new updates during the day. So I modified the search on the "Microsoft 365 App for Splunk" App. They are using at the moment this search to display the latest status:

index=azure `o365_service_status` | stats latest(FeatureStatus{}.FeatureServiceStatusDisplayName) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

If I update to this search, it works for me:

(index=azure (sourcetype="o365:service:status" OR (sourcetype="o365:service:message" FeatureDisplayName="*"))) 
| stats latest(Status) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

As you can see I had to use the other sourcetype, plust another field in the stats.

Hope that helps you too.

0 Karma
Reply

orca
Explorer
‎01-25-2022 11:47 AM

Are you getting impacted by this? https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...