Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

problem with service status via Azure API

pedro_77
New Member
‎07-05-2020 12:23 PM

Hello,

I'm trying to use Splunk Add-on for Microsoft Office 365 to collect service status from O365 Via azure API. I have configuration that each 5 minutes i'm asking about service status and i have noticed that for a few days in rows it works but afterwards Splunk receive events for certain sourcetype only once per day at 2am. The problem is only with sourcetype: o365:service:status. Another sourcetype form the same addon: sourcetype o365:management:activity works all the time without problem. Has anyone similar problem? There is some limitation here? or Azure API is unstable? addon version 2.0.2, Audit Log Search is enabled.

0 Karma
Reply

loderlukas
New Member
‎12-09-2020 09:28 AM

Hi Pedro,

I was just having the same issue. And I also found an article on the Microsoft page telling, that those logs are always 24h delayed. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-... 

 

They also say there, we need to use the messages to get new updates during the day. So I modified the search on the "Microsoft 365 App for Splunk" App. They are using at the moment this search to display the latest status:

index=azure `o365_service_status` | stats latest(FeatureStatus{}.FeatureServiceStatusDisplayName) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

If I update to this search, it works for me:

(index=azure (sourcetype="o365:service:status" OR (sourcetype="o365:service:message" FeatureDisplayName="*"))) 
| stats latest(Status) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

As you can see I had to use the other sourcetype, plust another field in the stats.

Hope that helps you too.

0 Karma
Reply

orca
Explorer
‎01-25-2022 11:47 AM

Are you getting impacted by this? https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-...

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
li.common.scroll-to.top