All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services - What can event_format_flags be used for?

Tasos
Engager

I am trying to undesrtand what the option event_format_flags in  inputs.conf  file can be used for.[mscs_azure_event_hub://<name>]
event_format_flags = <integer> The bitwise flags that determines the format of output events

Labels (1)

youngec
Explorer

There seems to no longer be any mention of event_format_flags in the latest app upgrade documentation as of the release of v4.5.1.  So maybe this is no longer necessary in the updated app.

Upgrade the Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

0 Karma

ivarny
Path Finder

Anyone?  We are getting json formatted data that is garbeld now via the Microsoft-Cloud-Services app.

It was formatted correctly via the AAD app.

Now there is extra " " around the json and additional \" around each key. 

0 Karma

Ankit_kiraula
Explorer

Hey, were you able to find the resolution on this?

0 Karma

ivarny
Path Finder

Nope, I think I ended up with using sed in props to remove the offending " ".

0 Karma

Ankit_kiraula
Explorer

can you share the props or SEDCMD you are using right now?

0 Karma

ivarny
Path Finder

Sure, it seems it was only needed for a particular eventhub, and there I am running:

SEDCMD-remove_quot_infront= s/^\"{/{/g

SEDCMD-remove_quot_behind = s/}\"$/}/g

SEDCMD-remove_slash = s/\\"/"/g

0 Karma

Ankit_kiraula
Explorer

Yea, smae same but different.

 

yesterday i applied this  and it started working too.

s/(\\")/"/g
 
on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...