All Apps and Add-ons

Microsoft Azure Add-on for Splunk (TA-MS-AAD) Version 2.0.0 - No Event Hub Data Ingesting

jscraig2006
Communicator

i was happy to finally see the Event Hub input in the add-on. But my bubble was quickly popped. I've configured the input for an event hub and there isn't any data ingesting. Viewing the debug log, the input only shows executing the proxy configuration which is successful. I do not see any attempt to query the hub, Any suggestions?

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

Do you see anything in _internal for the add-on using the following search?

index=_internal sourcetype="ta:ms:aad:log" source=*hub*

View solution in original post

jconger
Splunk Employee
Splunk Employee

Do you see anything in _internal for the add-on using the following search?

index=_internal sourcetype="ta:ms:aad:log" source=*hub*

View solution in original post

jscraig2006
Communicator

What i am seeing is
2019-10-15 18:54:47,034 ERROR pid=61165 tid=MainThread file=mgmt_operation.py:on_complete:118 | Failed to complete mgmt operation.
Status code: 404
Message: "The messaging entity 'eventhub' could not be found."

Which is the hub name. Looking at the input, i'm confused as to what share connection string I should use. I am using the shared connection string in Azure for the event hub it self. I am use to using the tennant ID, Subscription, App and Secret for permissions of other Azure Splunk inputs.

This is the connection string that I am using:
Endpoint=sb://'eventhub'.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey='secrect'

0 Karma

jscraig2006
Communicator

ok, i found my issue. i was using the event hub namespace and not the hub name.

0 Karma

jscraig2006
Communicator

I think I may have found the answer:
Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent. Can anyone verify?

0 Karma

jconger
Splunk Employee
Splunk Employee

Yes, Ubuntu and Darwin are the only currently supported platforms for Event Hub due to some pre-compiled C code needed. What platform are you on?

0 Karma

jscraig2006
Communicator

Running on Red Hat Enterprise

0 Karma

jconger
Splunk Employee
Splunk Employee

I just tested on Red Hat Enterprise 7.7 and it worked. Do you see anything in the error logs?

0 Karma

jscraig2006
Communicator

I do.. Let me look at the configuration of the input. I will let you know. Thanks!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!