We have updated our Terms of Service, Code of Conduct, and Addendum.

Office 365 Activity log counts less than Splunk app

pete
pete Posts: 1
edited September 2023 in Stream

For other users that have started pulling O365 activity logs using Stream instead of the Splunk app, have you noticed a discrepancy in the event counts? We consistently receive more events through the Splunk app than we do through the Stream source. The setup is exactly the same: tenant, app Id, content, and interval. We've even done comparisons into the data and have found events missing through Stream that were retrieved by the Splunk app. So it seems like Stream is either dropping some events or just not pulling all of them.

We do have a case open with Cribl already but I'm wondering if we're the only ones seeing this. Has anyone else noticed compared the volume and noticed the same?

Tagged:

Answers