Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Microsoft Azure: Is there a reas...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Microsoft Azure: Is there a reason Splunk keeps retrieving the same data from Azure?
I currently have the Splunk Add-on for Microsoft Azure for Splunk installed, but have noticed that each time it polls, it only retrieves the same set of events repeatedly and has not retrieved any new events since its implementation. I followed the directions in the PDF that comes with the add-on. Any advice would be greatly appreciated!
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello i hit the same issue. The problem it appears because they use os.rename to save information in file, about what is the latest collected data, but in Windows this fails after the first collection. It fails because in windows os.rename can’t save the file if the destination exist.
You can check the Python Docs : https://docs.python.org/2/library/os.html
For a workaround i changed the Python script to check if file exist before the rename and if it's existing, the script delete it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which input are you using? Also, try running the following search:
index=_internal sourcetype=splunkd Azure*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the Azure Audit input.
When I run that search I get the following error:
ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-Azure\bin\AzureAudit.py"" 2016-05-11 10:49:00,559 ERROR AzureAudit:410 - Error steaming data: [Error 183] Cannot create a file when that file already exists
There are also other licensing and metric entries too and they are all the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you're referencing, but I cannot locate the file that "already exists". I would prefer not to edit the script if necessary, especially as this isn't the exact same scenario. If I could locate this file I could rename it so that it could be recreated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And thank you for your time!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
