- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Add-on for Microsoft Cloud Services:
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Microsoft Cloud Services:
Hello all,
Myself and My colleagues are attempting to set up the Splunk Add-on for Microsoft Cloud Services to pull down NSG Flow logs out of a Network Watcher an into Splunk.
We have been following the "Splunking Microsoft Azure Network Watcher Data" tutorial on the "TIPS & TRICKS" section of the Splunk Blog.
Azure Storage account has been setup to the best of our understanding using an Access Key.
Azure Storage Blob has been setup as per the tutorial (The important part being Container Name : "insights-logs-networksecuritygroupflowevent")
When this is ran we get the following error and are having difficulties trying to establish what the cause may be:
YYYY-MM-dd hh:mm:ss,xxx +0000 log_level=ERROR, pid=xxxxx, tid=Thread-34, file=mscs_storage_dispatcher.py, func_name=_dispatch_storage_list, code_line_no=86 | [stanza_name="<stanza_name>" account_name="<account_name>" container_name="insights-logs-networksecuritygroupflowevent" blob_list=""] Exception@_dispatch_tables() ,error_message=ConnectionError: HTTPSConnectionPool(host='<account_name>.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 82, in _dispatch_storage_list
self._do_dispatch()
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 93, in _do_dispatch
self._dispatch_tasks(patterns)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_dispatcher.py", line 115, in _dispatch_tasks
next_marker, patterns)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/mscs_storage_blob_dispatcher.py", line 92, in _get_storage_info_list
marker=marker)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1177, in list_blobs
resp = self._list_blobs(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/blob/baseblobservice.py", line 1247, in _list_blobs
response = self._perform_request(request)
File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/splunktamscs/azure/storage/storageclient.py", line 186, in _perform_request
raise AzureException('{}: {}'.format(ex.__class__.__name__, ex.args[0]))
AzureException: ConnectionError: HTTPSConnectionPool(host='<account_name>.blob.core.windows.net', port=443): Max retries exceeded with url: /insights-logs-networksecuritygroupflowevent?restype=container&comp=list (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fdf0c7eb790>: Failed to establish a new connection: [Errno 110] Connection timed out',))
We are able to Curl from the Heavy Forwarder the app is installed on to the storage URL's.
We are stuck trying to determine if the problems due to configuration within Splunk or in the cloud or somewhere in-between.
If anyone could offer any suggestions on lines of investigation or if they have experienced anything similar before, we would be grateful.
Many Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you create this input by going into the Splunk Add-on for Microsoft Cloud Services UI, or did you create the input by going to Settings -> Data Inputs?
The reason I ask is the error messages have the following red flags:
stanza_name="" account_name=""account_nameshould not be blank.host='.blob.core.windows.net', port=443If account_name was not blank (let's say account_name was my-storage-account), a connection would be made tohost='my-storage-account.blob.core.windows.net', port=443
To set his up, open the Splunk Add-on for Microsoft Cloud Services app -> Configuration -> Azure Storage Account -> Add Azure Storage Account. Then, create the input by going to the Inputs menu -> Create New Input -> Azure Storage Blob.
Here is a good blob post on the subject -> https://www.splunk.com/blog/2017/08/18/splunking-microsoft-cloud-data-part-2.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply and My apologies,
I had wrapped the anonymized configuration details in “<>” without realising they would be parsed out when I posted. This also removed part of the error message.
So stanza_name=”” should have read stanza_name=<stanza_name>
I used the GUI to input the details.
Thanks again.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
