×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Kamachi
Explorer
Member since: ‎10-29-2025
‎05-07-2026
Community Statistics
Posts 5
Solutions 0
Karma Given 8
Karma Received 1
Member Since ‎10-29-2025
Activity Feed
View All

Re: Splunk TA for O365 – Message Trace input fails...

by in All Apps and Add-ons
‎04-29-2026 12:31 AM
‎04-29-2026 12:31 AM
Migrated to the new endpoint as soon as it was available. The problem occured before MS released the new MT endpoint. ... View more

Re: WEF - Universal Forwarder multiple Windows TA'...

by in Getting Data In
‎04-15-2026 05:21 AM
1 Karma
‎04-15-2026 05:21 AM
1 Karma
Hi, there, fixed it already. - on prem - WEC server with UF aggregating logs from a lot of win servers Applying the following inputs.conf caused the data flow from the WEC server to stop: [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog [WinEventLog] persistentQueueSize = 30GB The Monitoring Console still showed data being sent to the indexer _internal logs (splunkd) confirmed that data was being forwarded However, no data appeared in the target index Removing the [WinEventLog] stanza restored data flow This suggested a configuration merge issue, where the index setting was lost or misconfigured during processing, resulting in data being dropped at the indexer level Explicitly defining the target index in the [WinEventLog] stanza resolved the issue. Data is now correctly buffered using the persistent queue and indexed as expected: [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = wineventlog [WinEventLog] persistentQueueSize = 30GB index = wineventlog   Anyway thanks for the feedback! Best regards. ... View more

Re: WEF - Universal Forwarder multiple Windows TA'...

by in Getting Data In
‎04-14-2026 04:20 AM
‎04-14-2026 04:20 AM
same here, did u manage to resolve the issue? ... View more

Splunk TA for O365 – Message Trace input fails wit...

by in All Apps and Add-ons
‎03-05-2026 05:28 AM
‎03-05-2026 05:28 AM
Hi there, We’re seeing consistent ingestion failures with the Message Trace (MT) input in the Splunk Add-on for Microsoft Office 365. - Authentication to Microsoft 365 succeeds. - However, every request to the Message Trace endpoint returns HTTP 500, regardless of how small the query window is. - To rule out an overly large time range, i cloned the MT input and tested with a very small window (e.g., 15 minutes for today’s data). The request still fails with repeated 500 responses. - Other inputs are OK. 2026-03-05 13:12:36,078 level=ERROR logger=splunk_ta_o365.modinputs.message_trace datainput="MT_test1" start_time=1772712742 message="HTTP Request error: HTTPSConnectionPool(host='reports.office365.com', port=443): Max retries exceeded with url: /ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate eq datetime'2026-03-05T00:00:00Z' and EndDate eq datetime'2026-03-05T00:15:00Z' (Caused by ResponseError('too many 500 error responses'))" ... (stack trace omitted)  Q1: Have you seen this behavior (persistent HTTP 500) from the Message Trace Reporting Webservice endpoint? Q2: Are there known service-side limitations or tenant-specific issues that can cause this? Q3: What are the recommended next troubleshooting steps and/or mitigations? Q4: I know its a legacy MT endpoint as of march 2026 but there is no update from o365 addon and im not feeling to make an input for MT from scratch. Any info when the new update is planned? Thanks in advance.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-07-2026 05:23 AM
Karma from
View All
Karma given to