All Apps and Add-ons

Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.


Hello everyone,

I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.

Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.

They are all configured with a 300 second interval and with the default range for old logs. The errors I see are:

"python /opt/splunk/etc/apps/TA-MS-AAD/bin/" HTTPError: 400 Client Error: Bad Request for url:$orderby=activityDateTime&$filter=activit...

I was seeing some 429, which I found out had to do with API throttling but now that I have it set to 300 seconds I don't seem to be getting those anymore:

-0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/" HTTPError: 429 Client Error: for url:$orderby=createdDateTime&$filter=createdDateTime+...

Have any of you experienced something similar with this app? I am super stuck and have no idea what is going on...

I would appreciate any help! 😉


0 Karma

New Member

Configure signinsand Audit logs on different HWF's.


0 Karma


Hey, thanks for the answer! However, I don't believe that should be the solution. Any HF should work the same, moreover, I don't have another one. Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...