Configure optional settings
``# Configure optional settings for the Splunk Add-on for Microsoft Office 365
Note
The Splunk Add-on for Microsoft Office 365 only supports HTTP proxy.
Prerequisites: Before you configure the Settings, complete the previous steps in the configuration process:
- Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
- Configure a Tenant in the Splunk Add-on for Microsoft Office 365
- For more information on configuring respective inputs, see the Configuration topic in this manual.
Configure Proxy and Log Level settings¶
Using Splunk Web, configure Proxy and Log Level settings on the Splunk platform instance that you have designated as your configuration server for this add-on.
- On your Splunk platform instance, navigate to the Splunk Web home screen.
- In the left navigation banner, click on Splunk Add-on for Microsoft Office 365.
- Click on the Configuration tab.
- If you need to use a proxy: - Click the Proxy tab. - Fill in the form with your proxy details. If your proxy server does not require authentication, leave the username and password fields empty. - Click Save.
- To change the logging levels: - Click the Logging tab. - Select the Log Level. - Click Save.
Configure the request timeout parameter for Management Activity inputs¶
Configure the request_timeout
parameter for Management Activity inputs.
request_timeout
is the number of seconds to wait before timeout while getting a response from the subscription API.
- The range for the parameter is from 10 to 600 seconds.
- The default value of
request_timeout
parameter is 60 seconds. - The upper limit value of a
request_timeout
parameter is 600 seconds. - The lower limit value of a
request_timeout
parameter is 10 seconds.
There are two ways to add a request_timeout
parameter with a configured input.
- Make the
request_timeout
parameter configurable to all configured inputs.- Navigate to
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local
, and create aninputs.conf
file, if it does not already exist. - Copy the following stanza, and add it to the
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf
file.This setting will override the default value of request_timeout defined in default/inputs.conf and will apply to all configurable Management Activity inputs.[splunk_ta_o365_management_activity] request_timeout = <integer>
- Save your changes.
- Navigate to
- Make the
request_timeout
parameter configurable by addingrequest_timeout
to the specific Management Activity input.- Configure Managment Activity Input using Splunk Web.
- Navigate to
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local
, and create aninputs.conf
file, if it does not already exist. - Open
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf
and addrequest_timeout = <integer>
parameter under each configured input. For example,[splunk_ta_o365_management_activity://<Input_Name>]
.- Save your changes.
Configure the request timeout parameter for Graph API inputs¶
Configure the request_timeout
parameter for Audit Logs inputs.
request_timeout
is the number of seconds to wait before a timeout while getting a response from the Graph API.
- The range for the parameter is from 10 to 600 seconds.
- The default value of
request_timeout
parameter is 60 seconds. - The upper limit value of a
request_timeout
parameter is 600 seconds. - The lower limit value of a
request_timeout
parameter is 10 seconds.
To configure it from UI
- Click on “Create New Input” and Select “Audit Logs”.
- Under the “Advanced Settings” section configure “Request Timeout” parameter.
You can also configure the request_timeout
in all the Graph API inputs from $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf
.
Configure the token refresh window parameter for Management Activity inputs¶
Configure the token_refresh_window
parameter for Management Activity inputs.
token_refresh_window
is the number of seconds before the token expires, and must be refreshed. For example, if the token is expiring at
01:00 PM and the user has entered the 600 as a value of parameter token_refresh_window
then the token will be refreshed at 12:50 PM.
- The range for the
token_refresh_window
parameter is from 400 seconds to 3600 seconds. - The default value of
token_refresh_window
is 600 seconds. - The upper limit of
token_refresh_window
is 3600 seconds. - The lower limit of
token_refresh_window
is 400 seconds.
There are two ways to add a token_refresh_window
parameter with configured inputs.
-
Make the
token_refresh_window
parameter configurable to all configured inputs. - Navigate to$SPLUNK_HOME/etc/apps/splunk_ta_o365/local
, and create aninputs.conf
file, if it does not already exist. - Copy the below stanza, and add it to the$SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf
file.[splunk_ta_o365_management_activity] token_refresh_window = <integer>
This setting will override the default value of token_refresh_window defined in default/inputs.conf and it will apply to all configurable Management Activity inputs. - Save your changes.
-
Make the
token_refresh_window
parameter configurable by addingtoken_refresh_window
to specific Management Activity inputs.- Configure the Managment Activity Input using Splunk Web.
- Navigate to
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local
, and create aninputs.conf
file, if it does not already exist. - Open
$SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf
, and add thetoken_refresh_window = <integer>
parameter to each specific Management Activity input. For example, the[splunk_ta_o365_management_activity://<Input_Name>]
stanza. - Save your changes.