Hi I noticed that our o365 message tracing logs stopped getting indexed using Microsoft Office 365 Reporting Add-on for Splunk v 1.2.1 This a sample error message we got: 2020-07-20 13:19:32,756 ERROR pid=6727 tid=MainThread file=base_modinput.py:log_error:309 | HTTP Request error: 400 Client Error: Bad Request for url: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2020-07-01T00:00:00Z'%20and%20EndDate%20eq%20datetime'2020-07-01T00:15:00Z' I removed the ? in the "MessageTrace?$filter=StartDate" part of the URL in this file input_module_ms_o365_message_trace.py # Currently "$orderby=Received asc" does not work when retrieving messages with Skiptoken. Just drop "Received asc" then it works.
#microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$orderby=Received asc&$filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat())
# cwi remove ? from filter
#microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat())
microsoft_trace_url = "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?filter=StartDate eq datetime'%sZ' and EndDate eq datetime'%sZ'" % (start_date.isoformat(), end_date.isoformat())
messages = get_messages(helper, microsoft_trace_url, global_microsoft_office_365_username, global_microsoft_office_365_password) The input is working on our installation now.
... View more