All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on for Splunk not pulling event_hub data

brianpratt
Engager
‎05-08-2020 10:13 PM

I have one instance setup successfully and its pulling down data. But I haven't instance that is not working. i get the following events in ta_ms_aad_azure_event_hub.log

2020-05-09 04:44:18,079 INFO pid=7997 tid=MainThread file=connectionpool.py:new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:18,912 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:19,548 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:20,655 INFO pid=7997 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-05-09 04:44:21,757 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2020-05-09 04:44:21,758 INFO pid=7997 tid=MainThread file=client_abstract.py:init_:161 | u'eventhub.pysdk-008cb880': Created the Event Hub client
2020-05-09 04:44:21,762 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to
2020-05-09 04:44:21,921 INFO pid=7997 tid=MainThread file=connection.py:_state_changed:177 | Connection '6d677b52-1575-4388-9bbf-dc0f791dcf08' state changed from to
2020-05-09 04:44:21,943 INFO pid=7997 tid=MainThread file=connection.py:work:259 | 'Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR'

I see from other posts this is often a wrong primary or secondary key but I'm using the copy to clipboard icon under RootManageSharedAccessKey and pasting into the connection string field. I've tried both primary and secondary many times. For the eventhub, I've gone to the namespace, clicked eventhubs under entities and copied my only configured eventhub. I believe I've used the same process as the input that's working.

Comparing tcpdump between the 2 connections, I see traffic both ways on port 5671. But at the point the one stops, the successful connection has some kind of TLS exchange... This is part of that packet:

Washington1.0...U....Redmond1.0...U.
..Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microsoft IT TLS CA 40... Ehttp://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%204.crt0"..+.....0...http://ocsp.msocsp.com

So I'm using Microsoft Azure Add on for Splunk version 2.02 (I've tried 2.10 as well)
I'm using Splunk Enterprise Version 7.1.7 (also tried Splunk 7.3.5)

Any suggestions on what I can check or do to fix?? thank you...

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎06-03-2020 11:30 AM

It sounds like it could be the connection string or blocked outbound ports. The Event Hub input uses AMQP which will require ports 5671 and 5672 outbound.

For the connection string, make sure you are copying the connection string from the portal and not just the key:

alt text

View solution in original post

Preview file
56 KB
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎06-04-2020 06:28 AM

FWIW i had similar issues that went away after upgrading to the new version that supports 8.0.

I'm assuming this had something to Python migration.

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎06-03-2020 11:30 AM

It sounds like it could be the connection string or blocked outbound ports. The Event Hub input uses AMQP which will require ports 5671 and 5672 outbound.

For the connection string, make sure you are copying the connection string from the portal and not just the key:

alt text

Preview file
56 KB
Reply
Solved! Jump to solution

brianpratt
Engager
‎06-03-2020 12:17 PM

Security confirmed drops on these ports. opening up ports 5671/5672 worked... Thanks for the input!!

0 Karma
Reply
Solved! Jump to solution

subbarayudu
New Member
‎05-12-2020 12:30 AM

Thanks Brianpratt for the inputs.I created the key but still it errors,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...