All Apps and Add-ons

Splunk Add-on for Microsoft Azure: Is there a reason Splunk keeps retrieving the same data from Azure?

mhazz19087
Engager

I currently have the Splunk Add-on for Microsoft Azure for Splunk installed, but have noticed that each time it polls, it only retrieves the same set of events repeatedly and has not retrieved any new events since its implementation. I followed the directions in the PDF that comes with the add-on. Any advice would be greatly appreciated!

Thank you!

0 Karma

danieltodorov
New Member

Hello i hit the same issue. The problem it appears because they use os.rename to save information in file, about what is the latest collected data, but in Windows this fails after the first collection. It fails because in windows os.rename can’t save the file if the destination exist.

You can check the Python Docs : https://docs.python.org/2/library/os.html

For a workaround i changed the Python script to check if file exist before the rename and if it's existing, the script delete it.

0 Karma

jconger
Splunk Employee
Splunk Employee

Which input are you using? Also, try running the following search:

index=_internal sourcetype=splunkd Azure*
0 Karma

mhazz19087
Engager

I am using the Azure Audit input.

When I run that search I get the following error:

ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-Azure\bin\AzureAudit.py"" 2016-05-11 10:49:00,559 ERROR AzureAudit:410 - Error steaming data: [Error 183] Cannot create a file when that file already exists

There are also other licensing and metric entries too and they are all the same.

0 Karma

giorgio_adami_m
Path Finder
0 Karma

mhazz19087
Engager

I see what you're referencing, but I cannot locate the file that "already exists". I would prefer not to edit the script if necessary, especially as this isn't the exact same scenario. If I could locate this file I could rename it so that it could be recreated.

0 Karma

mhazz19087
Engager

And thank you for your time!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...