All Apps and Add-ons

Microsoft Azure Add-on - No data received and getting error when looking into sign-in logs: HTTP 402 Payment Required -- Requires license feature='KVStore'.

robinettdonWY
Path Finder

Hi All,

I'm trying to use the Microsoft Azure Add-on for Splunk and was successful in getting this add-on to ingest Azure AD User data via the supplied input. When trying to use the Azure AD Sign-in input; I'm not getting any data and I'm seeing the following error when looking in the logs.

index="_internal" host=xxxx source="/opt/splunk/var/log/splunk/ta_ms_aad_MS_AAD_signins.log"

Returns the following error:

2020-04-24 15:07:53,551 ERROR pid=19474 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 62, in collect_events
    query_date = get_start_date(helper, check_point_key)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 37, in get_start_date
    d = helper.get_check_point(check_point_key)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 518, in get_check_point
    self._init_ckpt()
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 509, in _init_ckpt
    scheme=dscheme, host=dhost, port=dport)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/modular_input/checkpointer.py", line 166, in __init__
    scheme, host, port, **context)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/solnlib/utils.py", line 167, in wrapper
    raise last_ex
HTTPError: HTTP 402 Payment Required -- Requires license feature='KVStore'

About this setup: The add-on is running on a Heavy Forwarder and this forwarder is in the forwarder license group; forwarding to Splunk Cloud. I've double checked all the permissions that the registered app needs in Azure and I think I'm good there. This same registered app is in use with the legacy Microsoft Azure Active Directory Add-on to pull sign-in and audit logs today. The permissions I've granted the registered app are here:

alt text

Thoughts on what may be going on here?
Thanks!!

0 Karma
1 Solution

PavelP
Motivator

Hello @robinettdonWY ,

please check this solution: https://answers.splunk.com/answers/581082/license-required.html

Does it work for you?

View solution in original post

0 Karma

PavelP
Motivator

Hello @robinettdonWY ,

please check this solution: https://answers.splunk.com/answers/581082/license-required.html

Does it work for you?

0 Karma

robinettdonWY
Path Finder

Thanks! I had seen that post, but Splunk support did not want to provide me with the 0GB/day license that enables KV Store. They kept telling to contact the developer of the Add-on and that they didn't support it. That using the Forwarder Group license should be all I need.

I did, in my haste, try the Free License and that worked. Finally support suggested I copy the enterprise 0GB/day license they provided 2 years ago on another heavy forwarder to this one and that worked too (I should have thought about that before them).

Not sure why this add-on is not working with the normal Forwarder Group License on a Heavy Forwarder, I feel like it should.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...