topic Re: pull Azure event hub logs to Splunk in Getting Data In

pull Azure event hub logs to Splunk

splunklearner — Fri, 11 Apr 2025 15:02:25 GMT

How can we pull Azure event hub logs to Splunk? I check that we cannot use HEC configuration for pulling the data. When I was checking for apps, there are 3-4 apps present for this: but I have found most of them are not supported now and older version. I found this app - https://splunkbase.splunk.com/app/3110. Not sure how to configure this? Is there any other add-on or approach we can follow to pull event hubs Azure logs to Splunk? Any leads would be appreciated.

Re: pull Azure event hub logs to Splunk

livehybrid — Fri, 11 Apr 2025 16:00:48 GMT

Hi @splunklearner

The docs state "As a general rule, Data Manager is the recommended method of data ingestion for Splunk Cloud customers for supported data sources where available" Are you using Splunk Cloud?

Its also worth checking the following Lantern docs https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data as an alternative - this uses Splunk Add-on for Microsoft Cloud Services which you've already referrenced.

Either of these options are good contenders. Alternatively there is a third option, which is to use HEC and Azure Functions to push the data. Check out https://github.com/splunk/azure-functions-splunk/blob/master/event-hubs-hec/README.md for more information around this.

Ultimately the best option for you depends on a number of factors - such as Cloud/Enterprise but also if you have the engineering support for things like Azure Functions etc.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: pull Azure event hub logs to Splunk

richgalloway — Fri, 11 Apr 2025 16:35:29 GMT

@livehybrid's answer is a good one.

In general, HEC cannot pull data from any source. It is merely a receiver for data pushed to Splunk.

Re: pull Azure event hub logs to Splunk

splunklearner — Fri, 11 Apr 2025 16:36:49 GMT

@livehybrid Splunk enterprise not Splunk Cloud.

Re: pull Azure event hub logs to Splunk

splunklearner — Fri, 11 Apr 2025 16:38:19 GMT

@richgalloway according to you what will be the best approach for us? Ours is Splunk enterprise and our Splunk instances residing on AWS cloud. Azure team confirmed that pushing is not possible.

Re: pull Azure event hub logs to Splunk

richgalloway — Fri, 11 Apr 2025 18:50:39 GMT

Install the app you cited in the OP on a heavy forwarder and use that to pull data from Azure using API calls. The HF will forward the data to Splunk.

Re: pull Azure event hub logs to Splunk

livehybrid — Fri, 11 Apr 2025 21:06:01 GMT

Hi @splunklearner

If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app.

This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing