Skip to content

Configure Service Health & Communication inputs for the Splunk Add-on for Microsoft Office 365

Description: Access the health status and message center posts.

Following content-types are supported.

  • Service Health: This operation retrieves information about all service health issues that exist for the tenant.
  • Service Update Messages: This operation retrieves all service update messages that exist for the tenant.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Service Health & Communications.
  2. Enter the parameter values using information provided in the input parameter table below.
  3. Click Add.
  4. Verify that data is successfully arriving by running the following search on your search head depending on the selected contennt-type while:

If the content-type is Service Health

Splunk Search

sourcetype=o365:service:healthIssue

If the content-type is Service Update Messages

Splunk Search

sourcetype=o365:service:updateMessage

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
  2. Add the following stanza.
[splunk_ta_o365_graph_api://<service_health_input_name>]
content_type = <value>
index = <value>
interval = <value>
tenant_name = <value>
  1. (Optional) Configure a custom index.
  2. Restart your Splunk platform instance.
  3. Verify that data is successfully arriving by running the following search on your search head:

If the content-type is Service Health

Splunk Search

sourcetype=o365:service:healthIssue

If the content-type is Service Update Messages

Splunk Search

sourcetype=o365:service:updateMessage

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name Corresponding field in Splunk Web Description
service_health_input_name Input Name A unique name for your input.
tenant_name Tenant Name The Microsoft Office 365 account from which you want to gather data.
content_type Content Type Supported Content Type of the Service Health API from which data is to be fetched.
index Index The index in which the Audit Logs data should be stored. The default is main.
interval Interval (seconds) Rerun the input after the defined value, in seconds.