All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on, Event Hub input - support for RHEL 7

nickmdps
Engager
‎07-09-2020 08:11 PM

We need to pull events into Splunk from an Azure Event Hub, and the "Microsoft Azure Add on" looks to be the best option.

Our organisational policy restricts us to RHEL (i.e. Ubuntu or other distros are not an option) so I intend to install the add-on on a Heavy Forwarder running on RHEL 7.8.

As we are still running Splunk v7.2.5.1 I will be installing v2.1.1 of the add-on, however I note that the README for that version indicates that only Ubuntu or Darwin are supported for the Event Hub input for this version of the add-on i.e:

Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent

However, in other related issues it looks like the add-on has run successfully for the event hub input on RHEL as late as 7.7 as noted by @jconger  in Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting.

So two questions:

  1. Will this work i.e. will I be able to pull events from an Azure Event hub using this blend of versions and distros?
  2. What issues/errors should I expect (if any)?

Thanks.

 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎07-10-2020 09:40 AM

To answer your questions directly:

  1. The add-on will work on RHEL.  I'll get the README updated.
  2. The 2 main issues I've seen are:
    1. Specifying a namespace instead of an Event Hub name in the input.  You need to create one input for each individual hub you want to ingest.  In other words, use the Event Hub name and NOT the Event Hub Namespace.
    2. Blocked outbound ports.  Event Hubs use AMQP for communication.  You will need ports 5671 and 5672 outbound open.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...