Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

problem with service status via Azure API

pedro_77
New Member
‎07-05-2020 12:23 PM

Hello,

I'm trying to use Splunk Add-on for Microsoft Office 365 to collect service status from O365 Via azure API. I have configuration that each 5 minutes i'm asking about service status and i have noticed that for a few days in rows it works but afterwards Splunk receive events for certain sourcetype only once per day at 2am. The problem is only with sourcetype: o365:service:status. Another sourcetype form the same addon: sourcetype o365:management:activity works all the time without problem. Has anyone similar problem? There is some limitation here? or Azure API is unstable? addon version 2.0.2, Audit Log Search is enabled.

Labels (1)
Labels
0 Karma
Reply

loderlukas
New Member
‎12-09-2020 09:28 AM

Hi Pedro,

I was just having the same issue. And I also found an article on the Microsoft page telling, that those logs are always 24h delayed. https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-... 

 

They also say there, we need to use the messages to get new updates during the day. So I modified the search on the "Microsoft 365 App for Splunk" App. They are using at the moment this search to display the latest status:

index=azure `o365_service_status` | stats latest(FeatureStatus{}.FeatureServiceStatusDisplayName) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

If I update to this search, it works for me:

(index=azure (sourcetype="o365:service:status" OR (sourcetype="o365:service:message" FeatureDisplayName="*"))) 
| stats latest(Status) AS Status by WorkloadDisplayName | rename WorkloadDisplayName AS Workload | sort - Status

 

As you can see I had to use the other sourcetype, plust another field in the stats.

Hope that helps you too.

0 Karma
Reply

orca
Explorer
‎01-25-2022 11:47 AM

Are you getting impacted by this? https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-service-communications-...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...