Splunk Cloud Platform

Data ingestion stopped from Splunk Add-on for Microsoft Office 365

Splunkerninja
Path Finder

Hi, We have stopped getting o365 logs when looked for the errors I see the below error. Does it mean client secret is expired?

level=ERROR pid=22156 tid=MainThread logger=splunk_ta_o365.modinputs.management_activity pos=utils.py:wrapper:72 | datainput=b'xoar_Management_Exchange' start_time=1715152233 | message="Data input was interrupted by an unhandled exception." 
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/utils.py", line 70, in wrapper
    return func(*args, **kwargs)
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 135, in run
    executor.run(adapter)
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/batch.py", line 54, in run
    for jobs in delegate.discover():
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 225, in discover
    self._clear_expired_markers()
  File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py", line 294, in _clear_expired_markers
    checkpoint.sweep()
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 86, in sweep
    return self._store.sweep()
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 258, in sweep
    indexes = self.build_indexes(fp)
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/splunksdc/checkpoint.py", line 189, in build_indexes
    indexes[key] = pos
  File "/opt/splunk/etc/apps/splunk_ta_o365/lib/sortedcontainers/sorteddict.py", line 300, in __setitem__
    dict.__setitem__(self, key, value)
MemoryError
Labels (2)
Tags (2)
0 Karma

deepakc
Builder

It shows out of memory in the log - this could be caused by large volumes of data coming in from 0365 events.

You might consider changing the interval in the inputs for the collection. (I don’t know if this will fix it, but may help with the different inputs you may have, sounds like its bottlenecked somewhere )

Check the memory usage on the where this add-on is running (normally on a HF)  - perhaps you need to increase this if it’s very low.

Have a look at the troubleshooting guide, there may items there to help further investigate.

https://docs.splunk.com/Documentation/AddOns/released/MSO365/Troubleshooting

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...