Connecting Microsoft 365 to your DSP pipeline
When creating a data pipeline in Splunk Data Stream Processor (DSP), you can connect to the Office 365 Management Activity API and use it as a data source. The API lets you audit the end-user activity in your Microsoft 365 and Office 365 services by providing logs that track the status, messages, and management activity in each service. You can get log data from the API into a pipeline, transform the data as needed, and then send the transformed data out from the pipeline to a destination of your choosing.
To connect to the Office 365 Management Activity API as a data source, you must complete the following tasks:
- Create a connection that allows DSP to access your Microsoft 365 data. See Create a DSP connection to Microsoft 365.
- Create a pipeline that starts with the Microsoft 365 source function. See the Building a pipeline chapter in the Use the manual for instructions on how to build a data pipeline.
- Configure the Microsoft 365 source function to use your Microsoft 365 connection. See Get data from Microsoft 365 in the Function Reference manual.
When you activate the pipeline, the source function starts collecting logs from the Office 365 Management Activity API. Each log is received into the pipeline as a record.
If your data fails to get into DSP, check the connection settings to make sure you have the correct tenant ID, client ID, and client secret for your Microsoft Azure Active Directory (AD) integration application. DSP doesn't run a check to see if you enter valid credentials.
How Microsoft 365 data is collected
The source function collects data according to the job schedule that you specified in the connection settings. See Scheduled data collection jobs for more information, including a list of the limitations that apply to all scheduled data collection jobs.
The following behavior from the Microsoft 365 connector might have an impact on the exact timing and scope of your data collection jobs:
- The first time a scheduled job runs, the connector collects data from the past 30 minutes. For all following scheduled jobs, the connector collects data according to the schedule that you specified.
- In some cases, the connector doesn't collect an event until an upwards of 5 days after the event was originally generated. For more information about this delay, search for "Office 365 Management Activity API frequently asked questions" in the Office 365 Management APIs documentation.
- The connector can send a maximum of 2,000 requests per minute.
- Each request from the connector is limited to a maximum time period of 24 hours.
Deserialize and preview data from Google Cloud Pub/Sub in DSP
Create a DSP connection to Microsoft 365
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0