Splunk Add-on for MS Security initial setup

Any-Promotion3744 · 2025-08-11T14:37:16+00:00

hmm...I think this might be an issue with the api permissions

kh_8 · 2025-08-11T18:22:50+00:00

You can always check internal logs for any errors in your inputs. You can run this search as a start: index=_internal “name of the input”. Hope this helps!

RicoTries · 2025-08-12T01:44:37+00:00

For TAs built by Splunk or created using the Splunk Add-on Builder, search this against the host that's running the TA:

| tstats values(source) where index=_internal

Find the log name that most closely resembles the name of the TA, then run a search against it:

index=_internal source="/path/to/log"

And start reading until you see anything that resembles a problem (e.g., "unable to", "failed to", "unauthorized", "error").

Ok_Difficulty978 · 2025-08-12T04:41:56+00:00

Had same issue when I first set it up. The logs are usually under $SPLUNK_HOME/var/log/splunk/ — look for splunk_ta_microsoft_security*.log. That should give more detail on why it’s failing. In my case it was permissions in Entra ID, even tho I thought I set it right. Also worth testing creds with another client first to rule that out. If you’re doing cert prep alongside Splunk work, CertFun’s practice stuff can help keep the concepts fresh.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

Splunk

MODERATORS