All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on for Splunk no longer pulling event hub data

junshi
Explorer
‎01-28-2021 11:29 AM

Logs have been working fine until this week, now I get the error:

 

 

ERROR pid=15289 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-signinlogs, resource: 3. Detail: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

ErrorCodes.InternalServerError: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

 

Also seeing these errors around the same time:

ERROR pid=48797 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-auditlogs, resource: 2. Detail: ('Connection aborted.', BadStatusLine("''",))

This is happening for multiple hubs?

Azure App v2.1.0

Spunk v7.3.3

@jconger !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

junshi
Explorer
‎02-18-2021 07:52 AM

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

View solution in original post

Reply
Solved! Jump to solution
Solution

junshi
Explorer
‎02-18-2021 07:52 AM

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

Reply
Solved! Jump to solution

pabaph
Engager
‎04-29-2021 01:23 AM

Hi junsi,

We are facing the same issue in one project with that particular TA. Which is the file where you modified that parameter? Thanks in advance.

Best regards.

0 Karma
Reply
Solved! Jump to solution

junshi
Explorer
‎04-29-2021 06:13 AM

You can get to the setting within the App.

Simply click on the INPUTS tab, then select your (EventHub) input.

Click EDIT.

The Max Batch settings are at the bottom of the window!

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...