All Apps and Add-ons

No Date collected with Microsoft Azure Add-on version 2.1 and Splunk 7.3

michael_wong
Path Finder

I can't get any data from Azure . I understand that need to configure connection string and Event Hub name, but there is nothing show, even in internal index

  • Paste the connection string from Step 1
  • Paste the Event Hub name from Step 2

From the server side, I can see traffics are being exchanged, assumed the connectivity is good.

Is there anyway I can troubleshoot this issue to see what's going wrong?

# tcpdump -i any host hsbc-multi-shrd-01-euw-evhub-mon-01.servicebus.windows.net -t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
IP gbl20060520.hc.cloud##########.35030 > 10.102.144.196.amqps: Flags [P.], seq 1506474280:1506474345, ack 958390525, win 340, length 65
IP gbl20060520.hc.cloud##########.35028 > 10.102.144.196.amqps: Flags [P.], seq 871485393:871485446, ack 2983679033, win 1027, length 53
IP 10.102.144.196.amqps > gbl20060520.hc.cloud##########.35032: Flags [P.], seq 2685114633:2685115149, ack 3374421201, win 2048, length 516
IP 10.102.144.196.amqps > gbl20060520.hc.cloud##########.35028: Flags [P.], seq 1:7589, ack 0, win 2048, length 7588
IP gbl20060520.hc.cloud##########.35028 > 10.102.144.196.amqps: Flags [.], ack 7589, win 1145, length 0
IP 10.102.144.196.amqps > gbl20060520.hc.cloud##########.35030: Flags [P.], seq 1:1962, ack 65, win 2048, length 1961
IP gbl20060520.hc.cloud##########.35030 > 10.102.144.196.amqps: Flags [.], ack 1962, win 370, length 0
IP 10.102.144.196.amqps > gbl20060520.hc.cloud##########.35030: Flags [P.], seq 1962:3630, ack 65, win 2048, length 1668
IP gbl20060520.hc.cloud##########.35030 > 10.102.144.196.amqps: Flags [.], ack 3630, win 397, length 0
IP 10.102.144.196.amqps > gbl20060520.hc.cloud##########.35030: Flags [P.], seq 3630:6891, ack 65, win 2048, length 3261
IP gbl20060520.hc.cloud##########.35030 > 10.102.144.196.amqps: Flags [.], ack 6891, win 447, length 0

 

Thanks,

Michael

Labels (1)
0 Karma
1 Solution

michael_wong
Path Finder

I found the issue. The adds on works fine, but I can't see them in HF because they have forwarded to index left no local data. I can see the logs on my indexer.

View solution in original post

Tags (1)
0 Karma

Vardhan
Contributor

Did you install the addon in Heavy forwarder?

0 Karma

Vardhan
Contributor

Hi,

did u check the connectivity?

where did u install the  Add-on? is it in HF?

index=_internal source=*aad* did u check the internal logs? 

 

0 Karma

michael_wong
Path Finder

Per the tcpdump results, I can see the traffics went through from server to  Azure. The strange thing is there is nothing at index=_internal 

0 Karma

michael_wong
Path Finder

I found the issue. The adds on works fine, but I can't see them in HF because they have forwarded to index left no local data. I can see the logs on my indexer.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...