Splunk Add-on for Microsoft Cloud Services - What ...

Tasos · ‎03-17-2021

I am trying to undesrtand what the option event_format_flags in inputs.conf file can be used for.[mscs_azure_event_hub://<name>]
event_format_flags = <integer> The bitwise flags that determines the format of output events

youngec · ‎11-17-2022

There seems to no longer be any mention of event_format_flags in the latest app upgrade documentation as of the release of v4.5.1. So maybe this is no longer necessary in the updated app.

Upgrade the Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

ivarny · ‎10-19-2022

Anyone? We are getting json formatted data that is garbeld now via the Microsoft-Cloud-Services app.

It was formatted correctly via the AAD app.

Now there is extra " " around the json and additional \" around each key.

Ankit_kiraula · ‎08-28-2024

Hey, were you able to find the resolution on this?

ivarny · ‎08-29-2024

Nope, I think I ended up with using sed in props to remove the offending " ".

Ankit_kiraula · ‎08-29-2024

can you share the props or SEDCMD you are using right now?

ivarny · ‎08-29-2024

Sure, it seems it was only needed for a particular eventhub, and there I am running:

SEDCMD-remove_quot_infront= s/^\"{/{/g

SEDCMD-remove_quot_behind = s/}\"$/}/g

SEDCMD-remove_slash = s/\\"/"/g

Ankit_kiraula · ‎08-29-2024

Yea, smae same but different.

yesterday i applied this and it started working too.

s/(\\")/"/g

on the data but now i do not see it in the sourcetype advance option, if i add it again the log quality will ruin again. so not sure how the TA messed up.

Splunk Add-on for Microsoft Cloud Services - What can event_format_flags be used for?

configuration

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)