All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

[Errno -2] Name or service not known

Alan_Chan
Explorer
‎07-08-2025 07:23 PM

I am using the Splunk Add-on for Microsoft Cloud Services to retrieve Event Hub data in Splunk Cloud, but I encountered the following error in the internal log.

2025-07-09 02:16:40,345 level=ERROR pid=1248398 tid=MainThread logger=modular_inputs.mscs_azure_event_hub pos=mscs_azure_event_hub.py:run:925 | datainput="Azure_Event_hub" start_time=1752027388 | message="Error occurred while connecting to eventhub: Failed to authenticate the connection due to exception: [Errno -2] Name or service not known Error condition: ErrorCondition.ClientError Error Description: Failed to authenticate the connection due to exception: [Errno -2] Name or service not known

The credentials should not be an issue, as I am using the same credentials in FortiSIEM and successfully get the data from event hub. Could anyone help identify the cause of the issue and suggest how to resolve it?

 

Labels (1)
Labels
0 Karma
Reply

Joe_Hartzel
Explorer
2 weeks ago

This error usually isn’t about your credentials but rather a DNS or endpoint resolution issue — Splunk Cloud may not be able to reach the Event Hub namespace you’ve configured, which is why it throws the [Errno -2] Name or service not known error. Since the same credentials work in FortiSIEM, double-check that the Event Hub FQDN/namespace in your Splunk Add-on settings is correct, ensure that it includes the full suffix (like *.servicebus.windows.net), and confirm with Splunk Support that the necessary outbound connectivity to Azure Event Hubs is allowed from your Splunk Cloud stack (sometimes a firewall or network restriction on Splunk Cloud’s side blocks the connection). Updating the namespace field and verifying network egress is usually the fix.

0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
‎07-10-2025 11:40 PM

Hello @Alan_Chan 

Follow these quick steps:

  1. DNS Resolution:
    Run nslookup <eventhub-namespace>.servicebus.windows.net on the Heavy Forwarder/Search Head to verify DNS resolution.

  2. Connectivity Check:
    Use ping <eventhub-namespace>.servicebus.windows.net to confirm network access.

  3. Firewall Rules:
    Ensure the public IP of the instance isn’t blocked by Azure Event Hub's IP firewall settings.

  4. Permission Check:
    Verify the Event Hub permissions for the data inputs in question.

  5. Endpoint Test:
    Run wget https://<eventhub-namespace>.servicebus.windows.net/ to check endpoint availability.

If the namespace can't be resolved, the Event Hub may have been decommissioned. 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-08-2025 11:25 PM

Hi @Alan_Chan 

This sounds like your event_hub_namespace is incorrect, or cannot be resolved using the DNS server on your Splunk instance.

The Azure Event Hub Namespace (FQDN). On portal.azure.com, on your Event Hubs Namespace page, the event_hub_namespace is displayed as Host Name in the Essentials section. It has the following formatting: .servicebus.windows.net.

Firstly, please validate that this is configured correctly.

If this is correct then check that you can resolve this from your system:

nslookup <yourEventHubNamespace>.servicebus.windows.net.

Alternatively you could use "dig" if your system has it. Does this resolve to an IP address? If not then you will need to investigate further why it is not resolving, I'd start by trying to resolve other known dns entries (e.g. google.com) to confirm your DNS resolution is working.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PrewinThomas
Motivator
‎07-08-2025 09:04 PM

@Alan_Chan 

Error you highlighted looks like DNS resolution failure, not the authentication failure.

Can you double check your event_hub_namespace
#https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/Configureeventhubs/

Perform nslookup/ping/wget to your event hub namespace fqdn and verify.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...