All Apps and Add-ons

Does Splunk work with the Microsoft Cloud Services add-on and if so does anyone have advice on making it work?

mlasky1970
Loves-to-Learn Lots

I have the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) installed on my heavy forwarder and ingesting audit data from an event hub input configured as a central repository for our tenant's audit data. This is working like a champ. I see tons of event hub data, it's all parsing as expected.

I'd love to use some dashboards to avoid making my own. I saw that the Microsoft Azure App for Splunk contains dashboards (https://splunkbase.splunk.com/app/4882/) for data collected from both the Cloud Services add-on above as well as the standard Azure add-on. Seems like what I want.

However, after deploying the app to my SHC none of the dashboards work. Digging further into it it appears that the sourcetype the App is looking for is totally different than the sourcetype that the MCS add-on generates. All the events in the index are sourcetype=mscs:azure:eventhub but the App is looking for sourcetype=azure:eventhub.

The question is, is the App actually supposed to work with the MCS add-on and if so does anyone have advice on making that work? Or is there a different app that provides dashboards for the data ingested by the MCS add-on?

It looks like I could change the sourcetype in the configuration of the App but that doesn't feel like something I should be changing when the description says it works with the add-on.

Labels (3)
Tags (2)
0 Karma

spodda01da
Path Finder

I am in same situation, did you find anything to visualize Eventhub data on Splunk.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...