All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Office 365 Reporting Mail Add-on for Splunk inputs configuration

rayar
Contributor
‎01-27-2021 01:00 AM

I have the input working for long time 

after it stopped working I have reinstalled the Add-on 1.2.4

Now I am a lot of data I need to import 

how you would recommend to setup the input (delay_throttle , query_window_size ,interval ) ?

 

[splunk@ilissplfwd05 local]$ cat inputs.conf


[ms_o365_message_trace://o365tracking]
delay_throttle = 720
index = o365
input_mode = continuously_monitor
interval = 30
office_365_account = o365tracking
query_window_size = 30
start_date_time = 2021-01-21T00:00:01
disabled = 0
[splunk@ilissplfwd05 local]$

Labels (1)
Labels
0 Karma
Reply

becksyboy
Communicator
‎01-27-2021 07:50 AM

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti...

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

  1. Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
  2. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".

 

0 Karma
Reply

becksyboy
Communicator
‎01-27-2021 03:18 AM

You should be able to do an index once. Can't remember how far you can go back but you should be able to do 20-30 days worth? 

 

[ms_o365_message_trace://index_once]
delay_throttle = 1
index = ********
input_mode = index_once
interval = -1
office_365_password = ********
office_365_username = ********
query_window_size = 60
start_date_time = 2021-01-01T11:01:01
end_date_time = 2021-01-27T11:01:01

0 Karma
Reply

rayar
Contributor
‎01-27-2021 07:34 AM

thanks a lot

I will create a separate input for "Index  Once"

What values you would recommend for "Continuously Monitor" ?

 

 

0 Karma
Reply

becksyboy
Communicator
‎01-28-2021 02:50 AM

This really depends on your requirements. You may want to vary the settings until you find the one that meets your needs.

This may help you:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Input-settings-for-Microsoft-Office-365-Reporti...

Also from the App:

https://splunkbase.splunk.com/app/3720/#/details

  1. Specify the Query window size (minutes). When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2018-01-01T00:00:00 (midnight on January 1, 2018), the end date for the query will be 2018-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
  2. Specify the Delay throttle (minutes). Microsoft may delay trace events up to 24 hours and events are not guaranteed to be sequential during this delay ( reference ). This parameter specifies how close to "now" the end date for a query may be (where "now" is the time that the input runs). Continuing from the example above, if "now" is 2018-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from "now". Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from "now".
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...