I have the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) installed on my heavy forwarder and ingesting audit data from an event hub input configured as a central repository for our tenant's audit data. This is working like a champ. I see tons of event hub data, it's all parsing as expected.
I'd love to use some dashboards to avoid making my own. I saw that the Microsoft Azure App for Splunk contains dashboards (https://splunkbase.splunk.com/app/4882/) for data collected from both the Cloud Services add-on above as well as the standard Azure add-on. Seems like what I want.
However, after deploying the app to my SHC none of the dashboards work. Digging further into it it appears that the sourcetype the App is looking for is totally different than the sourcetype that the MCS add-on generates. All the events in the index are sourcetype=mscs:azure:eventhub but the App is looking for sourcetype=azure:eventhub.
The question is, is the App actually supposed to work with the MCS add-on and if so does anyone have advice on making that work? Or is there a different app that provides dashboards for the data ingested by the MCS add-on?
It looks like I could change the sourcetype in the configuration of the App but that doesn't feel like something I should be changing when the description says it works with the add-on.