All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on, Event Hub input - support for RHEL 7

nickmdps
Engager
‎07-09-2020 08:11 PM

We need to pull events into Splunk from an Azure Event Hub, and the "Microsoft Azure Add on" looks to be the best option.

Our organisational policy restricts us to RHEL (i.e. Ubuntu or other distros are not an option) so I intend to install the add-on on a Heavy Forwarder running on RHEL 7.8.

As we are still running Splunk v7.2.5.1 I will be installing v2.1.1 of the add-on, however I note that the README for that version indicates that only Ubuntu or Darwin are supported for the Event Hub input for this version of the add-on i.e:

Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent

However, in other related issues it looks like the add-on has run successfully for the event hub input on RHEL as late as 7.7 as noted by @jconger  in Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting.

So two questions:

  1. Will this work i.e. will I be able to pull events from an Azure Event hub using this blend of versions and distros?
  2. What issues/errors should I expect (if any)?

Thanks.

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...