Solved: Setup M365 Index on Indexer Cluster with two Searc...

Serial98

Hello,

We have a Splunk indexer cluster with two searchheads and would like to use the addon in the cluster: https://splunkbase.splunk.com/app/4055

We installed the addon on the searchhead without ES and on all indexers via ClusterManager App.

Then we set up all the inputs for the addon on the searchhead and could not select the index “M365” but only enter it manually.

The problem now is that this index is not filled by the indexers!

What are we doing wrong here?

isoutamo

Hi

i’m not sure if I understand correctly how you have installed ad configured it? Have you followed this instructions where to install it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Install/ ? And then followed this how to configure it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureAppinAzureAD/ ?

Following those steps it should work. If not then you should look troubleshooting from here https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Troubleshooting/

r. Ismo

View solution in original post

PickleRick

First and foremost - you should not configure inputs on a search head. Set up a separate HF with those inputs and only use SHs for searching.

There might be more issues with your overall setup that we don't know about.

isoutamo

Hi

i’m not sure if I understand correctly how you have installed ad configured it? Have you followed this instructions where to install it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Install/ ? And then followed this how to configure it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureAppinAzureAD/ ?

Following those steps it should work. If not then you should look troubleshooting from here https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Troubleshooting/

r. Ismo

Serial98

Thanks for the quick replies, we have configured a HF and removed the input from the SH.

With the help of the guides we also managed to set the necessary EntraID permissions for the app.

Now it works and all dashboards show data.

Thank you very much!

isoutamo

As @PickleRick said, you should use separate HF in distributed environment for all modular inputs, don’t put those into SH. Of course you need TA in SH too, but not inputs configured there.

Serial98

@isoutamo ,

many thanks for the advice, we have now seperated all inputs to the HF. SH is now just for searching but has the TA installed.

@PickleRick many thanks also for the hint!

isoutamo

If you have multiple cores in that HF and if it runs e.g. DB Connect then you should add pipelines into it. That increase it's performance. Usually it's said that don't use more pipelines than 2 on your node unless it's physical server and it's HF. There are some articles/post/blogs about this, where you could found more information about it.

Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

configuration

troubleshooting

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?