Im using the Splunk Add-on for Microsoft Cloud Services, and I'm trying to ingest EHs.
We've setup th SP, and Enterprise app, created EHs. and configured account and inputs in addon
yyyy-dd-mm 11:36:20,813 level=INFO pid=18561 tid=MainThread logger=__main__ pos=mscs_azure_event_hub.py:_try_creating_blob_checkpoint_store:567 datainput="AzureEH" start_time= message="Blob checkpoint store not configured"
yyyy-dd-mm 11:36:14,786 level=INFO pid=18427 tid=MainThread logger=splunksdc.loop pos=loop.py:is_aborted:38 datainput="AzureEH" start_time= message="Loop has been aborted."
thanks for the details on this thread
Answering my own question. At was resolved with correct permission in azure
I encounter the exact same issue. What permissions do you exactly mean?
You require two permissions to ingest Event Hub through through Microsoft Cloud Services.
- Azure Service Management -> "user_impersonation"
- In Azure Portal -> Subscriptions -> Access control (IAM) -> Add role assignments -> Role: "Azure Event Hubs Data Receiver" -> User, group or service principal -> give this your app.
It has been documented meanwhile at https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs
thanks for sharing this. I updated the permissions and it seem to work. I'm still getting the same error in the "splunk_ta_microsoft_cloudservices_mscs_[azure_event_hub_azure-west-activity-logs.log]"
message="Blob checkpoint store not configured"
However, Azure Event Hub events are in the indexer and searchable.
what Permission did you add to fix this ?
What permissions was this? Event Hub Data Receiver?