Skip to content

Configure optional settings

``# Configure optional settings for the Splunk Add-on for Microsoft Office 365

Note

The Splunk Add-on for Microsoft Office 365 only supports HTTP proxy.

Prerequisites: Before you configure the Settings, complete the previous steps in the configuration process:

Configure Proxy and Log Level settings

Using Splunk Web, configure Proxy and Log Level settings on the Splunk platform instance that you have designated as your configuration server for this add-on.

  1. On your Splunk platform instance, navigate to the Splunk Web home screen.
  2. In the left navigation banner, click on Splunk Add-on for Microsoft Office 365.
  3. Click on the Configuration tab.
  4. If you need to use a proxy: - Click the Proxy tab. - Fill in the form with your proxy details. If your proxy server does not require authentication, leave the username and password fields empty. - Click Save.
  5. To change the logging levels: - Click the Logging tab. - Select the Log Level. - Click Save.

Configure the request timeout parameter for Management Activity inputs

Configure the request_timeout parameter for Management Activity inputs.

request_timeout is the number of seconds to wait before timeout while getting a response from the subscription API.

  • The range for the parameter is from 10 to 600 seconds.
  • The default value of request_timeout parameter is 60 seconds.
  • The upper limit value of a request_timeout parameter is 600 seconds.
  • The lower limit value of a request_timeout parameter is 10 seconds.

There are two ways to add a request_timeout parameter with a configured input.

  1. Make the request_timeout parameter configurable to all configured inputs.
    • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
    • Copy the following stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.
      [splunk_ta_o365_management_activity]
      request_timeout = <integer>
      
      This setting will override the default value of request_timeout defined in default/inputs.conf and will apply to all configurable Management Activity inputs.
      • Save your changes.
  2. Make the request_timeout parameter configurable by adding request_timeout to the specific Management Activity input.
    • Configure Managment Activity Input using Splunk Web.
    • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
    • Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf and add request_timeout = <integer> parameter under each configured input. For example, [splunk_ta_o365_management_activity://<Input_Name>].
      • Save your changes.

Configure the request timeout parameter for Graph API inputs

Configure the request_timeout parameter for Audit Logs inputs.

request_timeout is the number of seconds to wait before a timeout while getting a response from the Graph API.

  • The range for the parameter is from 10 to 600 seconds.
  • The default value of request_timeout parameter is 60 seconds.
  • The upper limit value of a request_timeout parameter is 600 seconds.
  • The lower limit value of a request_timeout parameter is 10 seconds.

To configure it from UI

  • Click on “Create New Input” and Select “Audit Logs”.
  • Under the “Advanced Settings” section configure “Request Timeout” parameter.

You can also configure the request_timeout in all the Graph API inputs from $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf.

Configure the token refresh window parameter for Management Activity inputs

Configure the token_refresh_window parameter for Management Activity inputs.

token_refresh_window is the number of seconds before the token expires, and must be refreshed. For example, if the token is expiring at 01:00 PM and the user has entered the 600 as a value of parameter token_refresh_window then the token will be refreshed at 12:50 PM.

  • The range for the token_refresh_window parameter is from 400 seconds to 3600 seconds.
  • The default value of token_refresh_window is 600 seconds.
  • The upper limit of token_refresh_window is 3600 seconds.
  • The lower limit of token_refresh_window is 400 seconds.

There are two ways to add a token_refresh_window parameter with configured inputs.

  1. Make the token_refresh_window parameter configurable to all configured inputs. - Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist. - Copy the below stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

    [splunk_ta_o365_management_activity]
    token_refresh_window = <integer>
    

    This setting will override the default value of token_refresh_window defined in default/inputs.conf and it will apply to all configurable Management Activity inputs. - Save your changes.

  2. Make the token_refresh_window parameter configurable by adding token_refresh_window to specific Management Activity inputs.

    • Configure the Managment Activity Input using Splunk Web.
    • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
    • Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf, and add the token_refresh_window = <integer> parameter to each specific Management Activity input. For example, the [splunk_ta_o365_management_activity://<Input_Name>] stanza.
    • Save your changes.