Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setup M365 Index on Indexer Cluster with two Searchheads (normal and ES)

Serial98
Explorer
‎12-16-2024 02:58 AM

Hello,

We have a Splunk indexer cluster with two searchheads and would like to use the addon in the cluster: https://splunkbase.splunk.com/app/4055

We installed the addon on the searchhead without ES and on all indexers via ClusterManager App.

Then we set up all the inputs for the addon on the searchhead and could not select the index “M365” but only enter it manually.

The problem now is that this index is not filled by the indexers!

What are we doing wrong here?

Screenshot 2024-12-16 115428.pngScreenshot 2024-12-16 115517.pngScreenshot 2024-12-16 115555.pngScreenshot 2024-12-16 115619.png

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-16-2024 01:31 PM

Hi

i’m not sure if I understand correctly how you have installed ad configured it? Have you followed this instructions where to install it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Install/ ? And then followed this how to configure it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureAppinAzureAD/ ?

Following those steps it should work. If not then you should look troubleshooting from here https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Troubleshooting/ 

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-16-2024 03:34 PM

First and foremost - you should not configure inputs on a search head. Set up a separate HF with those inputs and only use SHs for searching.

There might be more issues with your overall setup that we don't know about.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-16-2024 01:31 PM

Hi

i’m not sure if I understand correctly how you have installed ad configured it? Have you followed this instructions where to install it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Install/ ? And then followed this how to configure it https://splunk.github.io/splunk-add-on-for-microsoft-office-365/ConfigureAppinAzureAD/ ?

Following those steps it should work. If not then you should look troubleshooting from here https://splunk.github.io/splunk-add-on-for-microsoft-office-365/Troubleshooting/ 

r. Ismo

0 Karma
Reply
Solved! Jump to solution

Serial98
Explorer
‎12-17-2024 03:56 AM

Thanks for the quick replies, we have configured a HF and removed the input from the SH.

With the help of the guides we also managed to set the necessary EntraID permissions for the app.

Now it works and all dashboards show data.

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-17-2024 05:51 AM
As @PickleRick said, you should use separate HF in distributed environment for all modular inputs, don’t put those into SH. Of course you need TA in SH too, but not inputs configured there.
0 Karma
Reply
Solved! Jump to solution

Serial98
Explorer
‎12-17-2024 06:09 AM

@isoutamo ,

many thanks for the advice, we have now seperated all inputs to the HF. SH is now just for searching but has the TA installed. 

@PickleRick  many thanks also for the hint!

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-17-2024 08:10 AM
If you have multiple cores in that HF and if it runs e.g. DB Connect then you should add pipelines into it. That increase it's performance. Usually it's said that don't use more pipelines than 2 on your node unless it's physical server and it's HF. There are some articles/post/blogs about this, where you could found more information about it.
0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top