All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Able to connect to Eventhub but data is not downloaded, offset stays at -1

dcanchon
New Member
‎02-19-2020 07:21 AM

Able to connect to Azure hub using shared key and event hub name in inputs. I am not seeing any logs from the eventhub in splunk. Every 30 seconds (input interval) I get the logs below when using the search: index=internal sourcetype=ta:ms:aad:log debug _Splunk . Seems like there is no data in the event hub. The key I am using has the listen permission. When looking at the hub in Azure, it seems as if logs are being sent to the hub.

2020-02-19 09:41:57,341 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 4, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,417 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 4, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,412 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 2, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:52,407 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 1, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, st offset: -1
2020-02-19 09:41:52,402 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 0, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:52,396 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 3, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,206 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 3, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,197 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 2, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:47,087 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 1, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, last offset: -1
2020-02-19 09:41:46,935 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 0, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:46,913 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk partition IDs for hub hubname: [u'0', u'1', u'2', u'3', u'4']
2020-02-19 09:41:45,801 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk Getting proxy server.

0 Karma
Reply

robwheeler
Engager
‎06-16-2020 03:49 AM

Did you get a resolution to this?

I'm seeing the same behaviour and no idea what the cause is. 

I have 2 HF's, one pulls data successfully from the eventhub the other HF always returns the -1 offset. 

This is 1 HF to 1 eventhub per region so i'm not making multiple requests into the same eventhub from mulitple HF's. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...