Skip to content
MS Teams Observability

Troubleshoot the Splunk Integration

HEC Ingestion

Section titled “HEC Ingestion”

No data in index=ms_teams

Section titled “No data in index=ms_teams”

If collector-side checks are green, focus on HEC and index routing.

Checks

  1. Confirm the HEC endpoint URL is correct and ends with /services/collector.
  2. Confirm the HEC token is enabled.
  3. Confirm token write permissions include ms_teams.
  4. Confirm the ms_teams index exists and is not frozen.

HEC Authentication

Section titled “HEC Authentication”

401 Unauthorized or 403 Forbidden

Section titled “401 Unauthorized or 403 Forbidden”

If collector-side checks are green, the HEC token or index permission is the likely cause.

Checks

  1. Re-copy token value without trailing spaces.
  2. Confirm token is still active.
  3. Confirm token permissions include target index write.
  4. Re-test with a single collector cycle.

TLS / SSL

Section titled “TLS / SSL”

TLS handshake or certificate validation errors

Section titled “TLS handshake or certificate validation errors”

If collector-side checks are green, validate Splunk certificate trust.

Checks

  1. Install the Splunk CA certificate on the collector host.
  2. Confirm the endpoint hostname matches the certificate.
  3. Use splunk_ssl_check: false only for temporary testing.

Field Extraction

Section titled “Field Extraction”

Events are indexed but dashboards are empty

Section titled “Events are indexed but dashboards are empty”

If collector-side checks are green, investigate field extraction and time parsing.

Checks

  1. Run index=ms_teams | head 1 | table * and verify expected fields.
  2. Verify startDateTime parsing for dashboard time filters.
  3. Confirm dashboard time range includes recent ingestion.

SubnetToSite Mapping

Section titled “SubnetToSite Mapping”

Sites views show no mapped calls

Section titled “Sites views show no mapped calls”

If collector-side checks are green, the lookup table is likely missing or misconfigured.

Checks

  1. Confirm SubnetToSite lookup file is present in Splunk.
  2. Confirm lookup definition and automatic lookup configuration are active.
  3. Confirm collector sites.csv path is configured when site mapping is required.

If the collector also exports to Grafana Cloud or Datadog via OTLP, compare ingestion timestamps across platforms to confirm whether the issue is Splunk-only.