All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for Microsoft Cloud Services - What can event_format_flags be used for?

Tasos
Engager
‎03-17-2021 02:28 AM

I am trying to undesrtand what the option event_format_flags in  inputs.conf  file can be used for.[mscs_azure_event_hub://<name>]
event_format_flags = <integer> The bitwise flags that determines the format of output events

Labels (1)
Labels
Reply

youngec
Explorer
‎11-17-2022 03:16 PM

There seems to no longer be any mention of event_format_flags in the latest app upgrade documentation as of the release of v4.5.1.  So maybe this is no longer necessary in the updated app.

Upgrade the Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

0 Karma
Reply

ivarny
Path Finder
‎10-19-2022 02:58 AM

Anyone?  We are getting json formatted data that is garbeld now via the Microsoft-Cloud-Services app.

It was formatted correctly via the AAD app.

Now there is extra " " around the json and additional \" around each key. 

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-28-2024 09:33 PM

Hey, were you able to find the resolution on this?

0 Karma
Reply

ivarny
Path Finder
‎08-29-2024 01:06 AM

Nope, I think I ended up with using sed in props to remove the offending " ".

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-29-2024 02:08 AM

can you share the props or SEDCMD you are using right now?

0 Karma
Reply

ivarny
Path Finder
‎08-29-2024 06:21 AM

Sure, it seems it was only needed for a particular eventhub, and there I am running:

SEDCMD-remove_quot_infront= s/^\"{/{/g

SEDCMD-remove_quot_behind = s/}\"$/}/g

SEDCMD-remove_slash = s/\\"/"/g

0 Karma
Reply

Ankit_kiraula
Explorer
‎08-29-2024 11:36 PM

Yea, smae same but different.

 

yesterday i applied this  and it started working too.

s/(\\")/"/g
 
on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...