Hi,
I've searched the forums and found one thread about getting Intune data in to Splunk which set me on a path, hopefully, to getting the data in.
I'm working through the guidance here - Splunk Add-on for Microsoft Cloud Services - Splunk Documentation
I have requested and got an Event Hub from the team that look after Azure infrastructure. I've created the Azure app registration, set the API permissions, Access control on the Event Hub, and can see this is being successfully signed in to having configured the Splunk add-on side as well.
I'm not seeing any data come in to the index though. The one thing I'm unclear on and I haven't been able to work out the definitive answer to is whether I need an Azure storage account in order to store the date.
My reading of the Event Hub configuration options suggested to me that it was capable of some form of retention to allow streaming elsewhere (e.g. setting the retention time) but perhaps that is me misinterpreting it.
Has anyone successfully got this working and if so, are you using a storage account with this?
I should probably add that we're very early on in our Intune configuration and deployment so there isn't a huge amount going on yet but I've tried generating some test data in the Event Hub itself.
Turned out I'd misnamed the Event Hub Name by using the namespace instead... sorted now.