Hi,
I receive all the data from different tenants, but my data is not tagged to be able to use it in my Enterprise Security, although I have "Authentication and Change" data models enabled.
I have the "Splunk Add-on application for Microsoft Office 365" installed on an HF and the MSO365 application installed on my search head.
I have a cluster Splunk configuration with three indexers, the TA was copied to the master and also bundeled in the indexers.
Greetings.
I have fixed copying the Ta on my Search Head.
Regards.