The add on for splunk, Microsoft Office 365 has not been working on the front end and throws a 500 error and has been causing issues with sourcetypes not reporting in.
Theres nothing wrong with the account for the add on
I have checked splunkd and found these logs.
0500 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_o365_service_status://" from spec file="/opt/splunk/etc/apps/TPA-TA-microsoft_office_O365/README/inputs.conf.spec" with parameters="tenant_name, content_type"
0500 INFO SpecFiles - Found external scheme definition for stanza="ms_o365_message_trace://" from spec file="/opt/splunk/etc/apps/TA-MS_O365_Reporting/README/inputs.conf.spec" with parameters="input_mode, office_365_username, office_365_password, query_window_size, delay_throttle, start_date_time, end_date_time"
0500 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_o365_management_activity://" from spec file="/opt/splunk/etc/apps/TPA-TA-microsoft_office_O365/README/inputs.conf.spec" with parameters="tenant_name, content_type, number_of_threads"
0500 INFO SpecFiles - Found external scheme definition for stanza="splunk_ta_o365_service_message://" from spec file="/opt/splunk/etc/apps/TPA-TA-microsoft_office_O365/README/inputs.conf.spec" with parameters="tenant_name"
0500 WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-vendor_product' in stanza [ms:o365:reporting:messagetrace]: The expression is malformed. Expected OR.
... View more