Skip to main content
Splunk Lantern

Managing O365 workloads


Your organization is trying to cut costs. You're thinking about eliminating SharePoint because many users have switched to other systems that have the same functionality. You want to start tracking operations performed on SharePoint to see how much usage it really gets. 

Data required

Microsoft: 365 Reporting


  1. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    | stats count by Workload
  2. Examine the workloads shown to find one you want to investigate. Then update the search as follows:
    sourcetype="ms:o365:management" Workload=<workload>
    | stats VALUES(src_ip) VALUES(ClientIP) VALUES(Operation) count BY UserId

Search explanation

Splunk Search Explanation
sourcetype="ms:o365:management" Search only ms:o365:management data.
| stats count by Workload Show the number of events for each O365 workload.
Workload=<workload> Search values for the selected workload, for example, Exchange, OneDrive, or, in this scenario, SharePoint.
| stats VALUES(src_ip) VALUES(ClientIP) VALUES(Operation) count BY UserId

Count the number of events connected to each user on your group and show the unique IP addresses and operations for each user.

The src_ip field is aliased for the Office 365 value “ClientIP,” so these values are identical.

Next steps

The content in this article comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed.

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.