All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data Parsing Issue - Ingesting The Logs Using Splunk Add-On For Microsoft Cloud Services

anandhalagaras1
Contributor
‎12-26-2024 05:07 AM

Hi All,

We initially received a requirement to configure and ingest logs from Azure Storage Blob. To address this, we installed the Splunk Add-On for Microsoft Cloud Services on our Heavy Forwarder servers and configured it to pull logs from Azure Storage Blob using the Azure Storage Account.

Currently, there's a new requirement to ingest Databricks logs from Azure Storage Blob. We completed the necessary configurations and set the default sourcetype to mscs:storage:blob for data parsing. While the events are visible in Splunk after the configuration, we noticed that the data parsing is not functioning as expected for these events.

As a troubleshooting step, I changed the sourcetype to mscs:storage:blob:json, but the issue still persists.

Could you please assist me in resolving this issue? Your guidance would be greatly appreciated.

 

Labels (3)
0 Karma
Reply

rishabhshah
Path Finder
‎01-06-2025 05:41 AM

Could you please share the sample raw logs and how are those looking in Splunk once they are ingested? Issues with Line breaking, timestamp assignment, field extraction?

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎01-02-2025 02:16 AM

@anandhalagaras1 

Have you checked this community page?

https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

anandhalagaras1
Contributor
‎01-02-2025 03:58 AM

@kiran_panchavat ,

I have tried the same as per the community page but still its the same the data are not getting parsed.

0 Karma
Reply

anandhalagaras1
Contributor
‎01-02-2025 12:05 AM

Can anyone help on my request.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...