I just installed the Add-on for Microsoft Cloud Services by following the installation guide and using Splunk Web. I was able to get the certificate uploaded and have gotten "Auto-generated and verified as valid" as the status. When I created the Input, everything seemed to go fine, but on the Troubleshooting dashboard I am showing 1 Invalid Input.
I am running an all-in-one enterprise Splunk instance (version 6.4.2).
When I click on the Invalid Input (red 1) it brings up a table of data with this information:
Error Code - ACTC001
Host - splunk
Problem - An error occurred while attempting to connect to Office 365.
Problem Detail - Current access token cannot be validated by Office 365 when attempting to collect data on the forwarder.
Possible Reason - The access token used on the forwarder might be broken or expired. The forwarder may not have received the latest configuration or something might be wrong with the account used to refresh the latest access token.
When I click on the red triangle next to the Invalid Input (red 1), it pops up a window with this information:
[UNCSSPLUNKLDM] Failed to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_microsoft-cloudservices/configs/conf-splunk_ta_ms_o365_server_management_api_inputs?count=0 from server=https://127.0.0.1:8089
[UNCSSPLUNKLDM] Unexpected status for to fetch REST endpoint uri=https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_microsoft-cloudservices/configs/conf-splunk_ta_ms_o365_server_management_api_inputs?count=0 from server=https://127.0.0.1:8089 - Not Found.
I have tried following the link in a web browser, and I get a certificate error. Once I click past the certificate error I am able to log on to the web page with my Splunk credentials. It then displays a page titled "Splunk Atom Feed:conf-splunk_ta_ms_o365_server_management_api_inputs".