Splunk Add-on for Microsoft Cloud Services - What ...

Tasos · ‎03-17-2021

I am trying to undesrtand what the option event_format_flags in inputs.conf file can be used for.[mscs_azure_event_hub://<name>]
event_format_flags = <integer> The bitwise flags that determines the format of output events

youngec · ‎11-17-2022

There seems to no longer be any mention of event_format_flags in the latest app upgrade documentation as of the release of v4.5.1. So maybe this is no longer necessary in the updated app.

Upgrade the Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

ivarny · ‎10-19-2022

Anyone? We are getting json formatted data that is garbeld now via the Microsoft-Cloud-Services app.

It was formatted correctly via the AAD app.

Now there is extra " " around the json and additional \" around each key.

Ankit_kiraula · ‎08-28-2024

Hey, were you able to find the resolution on this?

ivarny · ‎08-29-2024

Nope, I think I ended up with using sed in props to remove the offending " ".

Ankit_kiraula · ‎08-29-2024

can you share the props or SEDCMD you are using right now?

ivarny · ‎08-29-2024

Sure, it seems it was only needed for a particular eventhub, and there I am running:

SEDCMD-remove_quot_infront= s/^\"{/{/g

SEDCMD-remove_quot_behind = s/}\"$/}/g

SEDCMD-remove_slash = s/\\"/"/g

Ankit_kiraula · ‎08-29-2024

Yea, smae same but different.

yesterday i applied this and it started working too.

s/(\\")/"/g

on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.

Splunk Add-on for Microsoft Cloud Services - What can event_format_flags be used for?

configuration

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?