All Apps and Add-ons

Splunk Add-on for Microsoft Azure: Is there a reason Splunk keeps retrieving the same data from Azure?

mhazz19087
Engager

I currently have the Splunk Add-on for Microsoft Azure for Splunk installed, but have noticed that each time it polls, it only retrieves the same set of events repeatedly and has not retrieved any new events since its implementation. I followed the directions in the PDF that comes with the add-on. Any advice would be greatly appreciated!

Thank you!

0 Karma

danieltodorov
New Member

Hello i hit the same issue. The problem it appears because they use os.rename to save information in file, about what is the latest collected data, but in Windows this fails after the first collection. It fails because in windows os.rename can’t save the file if the destination exist.

You can check the Python Docs : https://docs.python.org/2/library/os.html

For a workaround i changed the Python script to check if file exist before the rename and if it's existing, the script delete it.

0 Karma

jconger
Splunk Employee
Splunk Employee

Which input are you using? Also, try running the following search:

index=_internal sourcetype=splunkd Azure*
0 Karma

mhazz19087
Engager

I am using the Azure Audit input.

When I run that search I get the following error:

ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-Azure\bin\AzureAudit.py"" 2016-05-11 10:49:00,559 ERROR AzureAudit:410 - Error steaming data: [Error 183] Cannot create a file when that file already exists

There are also other licensing and metric entries too and they are all the same.

0 Karma

giorgio_adami_m
Path Finder
0 Karma

mhazz19087
Engager

I see what you're referencing, but I cannot locate the file that "already exists". I would prefer not to edit the script if necessary, especially as this isn't the exact same scenario. If I could locate this file I could rename it so that it could be recreated.

0 Karma

mhazz19087
Engager

And thank you for your time!

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...