Splunk® Data Stream Processor

Connect to Data Sources and Destinations with DSP

On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.

All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Create a DSP connection to Microsoft 365

The Microsoft 365 connector is planned for deprecation. See the Release Notes for more information.

To get data from the Office 365 Management Activity API into a data pipeline in Splunk Data Stream Processor, you must first create a connection using the Microsoft 365 connector. In the connection settings, provide the credentials of your Microsoft Azure Active Directory (AD) integration application so that DSP can access your data, and schedule a data collection job to specify how frequently DSP retrieves the data. You can then use the connection in the Microsoft 365 source function to get data from the Office 365 Management Activity API into a DSP pipeline.

Prerequisites

Before you can create the Microsoft 365 connection, you must have the following:

  • An integration application that registers the connector in Microsoft Azure Active Directory (AD), and has the Read activity data for your organization permission assigned to it.
  • The following credentials from the integration application:
    • Tenant ID, which is also known as a directory ID.
    • Client ID, which is also known as an application ID.
    • Client secret, which is also known as a key.

If you don't have this integration application or the credentials, ask your Microsoft 365 administrator for assistance. For information about creating integration applications, search for "Get started with Office 365 Management APIs" in the Office 365 Management APIs documentation.

Steps

  1. In DSP, select the Connections page.
  2. On the Connections page, click Create Connection.
  3. On the Source tab, select Microsoft 365 and then click Next.
  4. Complete the following fields:
    Field Description
    Connection Name A unique name for your connection.
    Tenant ID The tenant ID from Azure AD.
    Client ID The client ID from your integration application in Azure AD.
    Client Secret The client secret from your integration application in Azure AD.
    Content Types The types of logs to collect from Microsoft 365 and Office 365 services. Select one or more of the following types:
    • Audit.AzureActiveDirectory: The audit logs for Azure AD.
    • Audit.Exchange: The audit logs for Microsoft Exchange.
    • Audit.SharePoint: The audit logs for Microsoft SharePoint.
    • Audit.General: The general audit logs for Microsoft 365.
    • DLP.All: The data loss protection (DLP) event logs for all services.
    Scheduled This parameter is on by default, indicating that jobs run automatically. Toggle this parameter off to stop the scheduled job from automatically running. Jobs that are currently running aren't affected.
    Schedule The time-based job schedule that determines when the connector executes jobs for collecting data. Select a predefined value or write a custom CRON schedule. All CRON schedules are based on UTC.

    To avoid running long jobs that don't collect any additional data, schedule your jobs to run for 24 hours or less. Each request from the connector to the API is limited to a maximum time period of 24 hours.

    Workers The number of workers you want to use to collect data.

    Any credentials that you upload are transmitted securely by HTTPS, encrypted, and securely stored in a secrets manager.

  5. Click Save.

    If you're editing a connection that's being used by an active pipeline, you must reactivate that pipeline after making your changes. When you reactivate a pipeline, you must select where you want to resume data ingestion. See Using activation checkpoints to activate your pipeline in the Use the Data Stream Processor manual for more information.

You can now use your connection in a Microsoft 365 source function at the start of your data pipeline to get data from the Office 365 Management Activity API. For instructions on how to build a data pipeline, see the Building a pipeline chapter in the Use the Data Stream Processor manual. For information about the source function, see Get data from Microsoft 365 in the Function Reference manual.

Last modified on 29 March, 2022
Connecting Microsoft 365 to your DSP pipeline   Connecting Microsoft Azure Event Hubs to your DSP pipeline as a data source

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.3.0, 1.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters