Hi all,
This app was previously working but now has a constant 'loading...' screen. Nothing loads other than the App's menu strip. This is the same in anything which isn't the 'Documentation' or 'Troubleshooting' (which is really just the search) area.
When clicking into these non-loading areas of the app the whole Splunk interface seems to change slightly... Almost like Splunk has been downgraded by several versions or similar.
The 'Microsoft Azure Add-on for Splunk' is on version is 3.0.1
Anyone seen this kind of thing before?Search & Reporting menu
Broken Azure app menu
So it seems the issue is we need an IDM added to our Splunk 'stack'. This is required when ingesting from cloud-based log sources (as Azure obviously is).
https://www.splunk.com/en_us/blog/platform/introducing-inputs-data-manager-on-splunk-cloud.html
So it seems the issue is we need an IDM added to our Splunk 'stack'. This is required when ingesting from cloud-based log sources (as Azure obviously is).
https://www.splunk.com/en_us/blog/platform/introducing-inputs-data-manager-on-splunk-cloud.html
Well There could be multiple reasons
1) If you have upgraded this app directly from 2.1.1 to 3.1.1 then as per doc for this app you will definitely see issues and there are no clear answer and explanation why .
2) Microsoft vendor generally cause a lock generated if an incorrect credentials is keyed in. I would recommend to remove below files from local directory but take a backup before and then restart splunkd
inputs.conf
ta_ms_aad_settings.conf
ta_ms_aad_account.conf
passwords.conf
3) If you upgraded Splunk to 8.x old app will not work because of incompatibility of the app with 7.x . You will see below error.
Unable to initialize modular input "azure_virtual_network" defined in the app "TA-MS-AAD": Introspecting scheme=azure_virtual_network: script running failed (exited with code 1)..
The frustrating part is this app is not supported by splunk and even now you cannot download older versions as it says "This version has not passed Splunk AppInspect."
If option 2 is not helping then the only option we are left with install fresh app 3.1.1and create inputs again with correct passwords .
4) Last but not the least Event hub input is deprecated in the new release , though it is still working but it is not a reliable option as doc says it is deprecated . If you have event hub inputs then better user "Splunk add-on for Microsoft cloud service"
Hope this helps
Thanks for your reply. I tried to find the files you mentioned and couldn't locate them anywhere on the HF where these logs come from. Especially the;
'ta_ms_aad_settings.conf'
'ta_ms_aad_account.conf'
files. Is there someone else these files will be located?
May not be relevant, but I'm using Splunk cloud so my indexers and SHs are on Splunk's cloud.
If this was helpful please mark this as complete and accept the answer