Content Pack for Microsoft 365

Content Pack for Microsoft 365

This documentation does not apply to the most recent version of Content Pack for Microsoft 365. For documentation on the most recent version, go to the latest release.

Install and configure the Content Pack for Microsoft 365

Perform the following high-level steps to install and configure the Content Pack for Microsoft 365:

  1. Install and configure the Splunk Add-on for Microsoft Office 365.
  2. Install the content pack.
  3. Import your Microsoft 365 hosts as entities.
  4. Review and tune KPI thresholds.

Prerequisites

Review the following prerequisites before installing the content pack:

Create a full backup of your ITSI environment

You can choose to create a full backup of your ITSI environment in the event you need to revert the install. For more information, see Overview of backing up and restoring ITSI KV store data in the Administration Manual.

Enable custom visualizations for sankey diagrams and punchcard visualizations

Install the following custom visualization apps from Splunkbase to ensure the visualizations display in this content pack:

To learn more about custom visualizations, refer to the following resources:

Install and configure the Splunk Add-on for Microsoft Office 365

This content pack relies on data from the Splunk Add-on for Microsoft Office 365. The add-on collects service status, service messages, and management activity logs from the Office 365 Management Activity API and the Office 365 Service Communications API.

You can safely install the Splunk Add-on for Microsoft Office 365 on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads.

To learn how to install and configure the add-on, see Installation and configuration overview for the Splunk Add-on for Microsoft Office 365.

Install the content pack

To install the Content Pack for Microsoft 365, you have to install the Splunk App for Content Packs. To follow detailed installation steps, see Install the Splunk App for Content Packs.

After you have installed the Splunk App for Content Packs, perform the following steps to install the content pack:

  1. From the ITSI main menu, click Configuration > Data Integrations.
  2. Select Add content packs or Add structure to your data depending on your version of ITSI.
  3. Select the Microsoft 365 content pack.
  4. Review what's included in the content pack and then click Proceed.
  5. Configure the settings:
    1. Choose which objects to install: For a first-time installation, select the items you want to install and deselect any you're not interested in. For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version or install them all.
    2. Choose a conflict resolution rule for the objects you install: For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
      1. Install as new: Objects are installed and any existing identical objects in your environment remain intact.
      2. Replace existing: Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    3. Import as enabled: Select whether to install objects as enabled or to leave them in their original state. We recommend that you import objects as disabled to ensure your environment doesn't break from the addition of new content. This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of the option you choose.
    4. Add a prefix to your new objects: Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects after installation.
    5. Backfill service KPIs: Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and predictive analytics for the new services. This setting only applies to KPIs, not service health scores.
  6. When you're satisfied with your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page indicates which content packs you've already installed.

Import your Microsoft 365 hosts as entities

Import your Microsoft 365 hosts as entities using ad-hoc searches included with the content pack.

Import Microsoft 365 Tenants

Perform the following steps to import your Microsoft 365 Tenants:

  1. From the main menu, click Configuration > Entities.
  2. Click Create Entity > Import from Search.
  3. Select Ad hoc Search and input the following search:
    `m365_cp_default_index` sourcetype="o365:management:activity" 
    | stats values(Workload) values(sourcetype) by OrganizationId 
    | eval entity_type="M365 Tenants" 
    | fields - count
    
  4. Run the search and make sure you see your Microsoft Exchange hosts with an entity_type of M365 Tenants.
  5. Click Next.
  6. Configure the following column rules:
    Column Name Import Column As
    OrganizationId Entity Title
    values(Workload) Entity Information Field
    values(sourcetype) Entity Information Field
    entity_type Entity Type
  7. Click Import to import your entities.
  8. After the import job completes, click Set Up Recurring Import and follow the steps in Set up a recurring import of entities in ITSI in the Entity Integrations Manual.
  9. Click View all entities and confirm your entities appear.

Import Power BI Workspaces

Perform the following steps to import your Power BI Workspaces:

  1. From the main menu, click Configuration > Entities.
  2. Click Create Entity > Import from Search.
  3. Select Ad hoc Search and input the following search:
    `m365_cp_default_index` sourcetype="o365:management:activity" Workload=PowerBI
    | stats values(OrganizationId), values(sourcetype) by WorkSpaceName
    | eval entity_type="Power BI Workspaces"
    | fields - count
    
  4. Run the search and make sure you see your Microsoft Exchange hosts with an entity_type of Power BI Workspaces.
  5. Click Next.
  6. Configure the following column rules:
    Column Name Import Column As
    WorkSpaceName Entity Title
    values(Workload) Entity Information Field
    values(sourcetype) Entity Information Field
    entity_type Entity Type
  7. Click Import to import your entities.
  8. After the import job completes, click Set Up Recurring Import and follow the steps in Set up a recurring import of entities in ITSI in the Entity Integrations Manual.
  9. Click View all entities and confirm your entities appear.

Import Sharepoint Workspaces

Perform the following steps to import your Sharepoint Workspaces:

  1. From the main menu, click Configuration > Entities.
  2. Click Create Entity > Import from Search.
  3. Select Ad hoc Search and input the following search:
    `m365_cp_default_index` sourcetype="o365:management:activity" Workload=Sharepoint
    | eval SiteNameLower = lower(SiteName) 
    | stats values(OrganizationId) values(sourcetype) by SiteName,SiteNameLower
    | dedup SiteNameLower 
    | eval entity_type="Sharepoint Sites" 
    | fields - count, SiteNameLower
    
  4. Run the search and make sure you see your Microsoft Exchange hosts with an entity_type of Sharepoint Sites.
  5. Click Next.
  6. Configure the following column rules:
    Column Name Import Column As
    Site Name Entity Title
    values(OrganizationId) Entity Information Field
    values(sourcetype) Entity Information Field
    entity_type Entity Type
  7. Click Import to import your entities.
  8. After the import job completes, click Set Up Recurring Import and follow the steps in Set up a recurring import of entities in ITSI in the Entity Integrations Manual.
  9. Click View all entities and confirm your entities appear.

Review and tune KPI thresholds

Aggregate and per-entity thresholds for the KPIs in this content pack have pre-tuned thresholds representing best practices. You can review the KPIs in each service and configure their aggregate and per-entity thresholds values to alternate defaults based on your use case. Some KPIs, such as basic performance counters like CPU utilization, have universal best practices for threshold configuration. Others are specific to your deployment.

For instructions on tuning the KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights Manual .

For a full list of the KPIs in this content pack, see the KPI reference for the Content Pack for Microsoft 365.

KPI alerting

ITSI generates notable events in Episode Review based on the alerting rules you configure. KPI alerting is enabled for some services so you can receive alerts when aggregate KPI threshold values change. You can turn off this alerting behavior or tune the parameters based on how many alerts you want to receive.

For more information about KPI alerting, see Receive alerts when KPI severity changes in ITSI in the Service Insights Manual. .

Anomaly detection

Anomaly detection uses machine learning algorithms to model KPI behavior. If the KPI diverges from the normal pattern, ITSI creates a notable event in Episode Review. Some KPIs have anomaly detection enabled.

For more information about anomaly detection, see Apply anomaly detection to a KPI in ITSI in the Service Insights Manual.

Next step

Once you install and configure the Content Pack for Microsoft 365, you can start using the dashboards and visualizations in the content pack to monitor your environment. For instructions on using the content pack, see Use the Content Pack for Microsoft 365.

Last modified on 09 March, 2022
Release notes for the Content Pack for Microsoft 365   Use the Content Pack for Microsoft 365

This documentation applies to the following versions of Content Pack for Microsoft 365: 1.0.10, 1.0.11


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters