Im using the Splunk Add-on for Microsoft Cloud Services, and I'm trying to ingest EHs.
We've setup th SP, and Enterprise app, created EHs. and configured account and inputs in addon
yyyy-dd-mm 11:36:20,813 level=INFO pid=18561 tid=MainThread logger=__main__ pos=mscs_azure_event_hub.py:_try_creating_blob_checkpoint_store:567 datainput="AzureEH" start_time= message="Blob checkpoint store not configured" yyyy-dd-mm 11:36:14,786 level=INFO pid=18427 tid=MainThread logger=splunksdc.loop pos=loop.py:is_aborted:38 datainput="AzureEH" start_time= message="Loop has been aborted."
You require two permissions to ingest Event Hub through through Microsoft Cloud Services.
- Azure Service Management -> "user_impersonation"
- In Azure Portal -> Subscriptions -> Access control (IAM) -> Add role assignments -> Role: "Azure Event Hubs Data Receiver" -> User, group or service principal -> give this your app.
It has been documented meanwhile at https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs