All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Cloud Services - What can event_format_flags be used for?

Tasos
Engager
‎03-17-2021 02:28 AM

I am trying to undesrtand what the option event_format_flags in  inputs.conf  file can be used for.[mscs_azure_event_hub://<name>]
event_format_flags = <integer> The bitwise flags that determines the format of output events

Labels (1)
Labels
Reply

youngec
Explorer
‎11-17-2022 03:16 PM

There seems to no longer be any mention of event_format_flags in the latest app upgrade documentation as of the release of v4.5.1.  So maybe this is no longer necessary in the updated app.

Upgrade the Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

0 Karma
Reply

ivarny
Path Finder
‎10-19-2022 02:58 AM

Anyone?  We are getting json formatted data that is garbeld now via the Microsoft-Cloud-Services app.

It was formatted correctly via the AAD app.

Now there is extra " " around the json and additional \" around each key. 

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-28-2024 09:33 PM

Hey, were you able to find the resolution on this?

0 Karma
Reply

ivarny
Path Finder
‎08-29-2024 01:06 AM

Nope, I think I ended up with using sed in props to remove the offending " ".

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-29-2024 02:08 AM

can you share the props or SEDCMD you are using right now?

0 Karma
Reply

ivarny
Path Finder
‎08-29-2024 06:21 AM

Sure, it seems it was only needed for a particular eventhub, and there I am running:

SEDCMD-remove_quot_infront= s/^\"{/{/g

SEDCMD-remove_quot_behind = s/}\"$/}/g

SEDCMD-remove_slash = s/\\"/"/g

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-29-2024 11:36 PM

Yea, smae same but different.

 

yesterday i applied this  and it started working too.

s/(\\")/"/g
 
on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...