All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-On for Microsoft Cloud Services - How to fix Eventhub input parsing error of JSON?

thilles
Explorer
‎10-24-2022 11:53 AM

Hi! 

We've set up an Eventhub input using the Splunk Add-on for MS Cloud Services, and we are getting events successfully into Splunk.

The problem is that the events are not formatted correctly when indexed into Splunk. 
JSON formatted events are indexed into Splunk with all the quotation marks escaped. This messes up the syntax highlighting, and the auto field extractions.

The sourcetype used during eventhub config is mscs:azure:eventhub, as per the docs states.

The following code is used to generate test data, and the rendered result is in the screenshot. 

Anyone seen the same, or resolved it somehow?

 

#Method 1 - You provide a JSON string
body1 = "{'id':'device2','goo':'frodo'}"
event_data_batch.add(EventData(body1))

#Method 2 - You get the JSON Object and convert to string
json_obj = {"id": "device3", "goo": "bilbo"}
body2 = json.dumps(json_obj)
event_data_batch.add(EventData(body2))

#This just sending the string which will not be captured by TSI
event_data_batch.add(EventData('Third event'))

 

 

 

 

Labels (3)
Preview file
45 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristenbidbax
Explorer
‎11-02-2022 02:09 AM

add event_format_flags = 1  to your inputs as per documentation
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Upgrade

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristenbidbax
Explorer
‎11-02-2022 02:09 AM

add event_format_flags = 1  to your inputs as per documentation
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Upgrade

0 Karma
Reply
Solved! Jump to solution

thilles
Explorer
‎10-24-2022 11:58 AM

As an added input:
I've used the Eventhub integration to collect events with proper json rendering earlier, but then the data source was Microsofts own streaming options to Eventhub, e.g.  Stream Microsoft Defender for Endpoint events to Azure Event Hubs | Microsoft Learn

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...