All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Streaming Intune data to Splunk via Azure Event Hub

JMLboro
Engager
‎09-15-2023 03:39 AM

Hi,

I've searched the forums and found one thread about getting Intune data in to Splunk which set me on a path, hopefully, to getting the data in.

I'm working through the guidance here - Splunk Add-on for Microsoft Cloud Services - Splunk Documentation

I have requested and got an Event Hub from the team that look after Azure infrastructure. I've created the Azure app registration, set the API permissions, Access control on the Event Hub, and can see this is being successfully signed in to having configured the Splunk add-on side as well. 

I'm not seeing any data come in to the index though. The one thing I'm unclear on and I haven't been able to work out the definitive answer to is whether I need an Azure storage account in order to store the date.

My reading of the Event Hub configuration options suggested to me that it was capable of some form of retention to allow streaming elsewhere (e.g. setting the retention time) but perhaps that is me misinterpreting it. 

Has anyone successfully got this working and if so, are you using a storage account with this? 

Labels (1)
Labels
0 Karma
Reply

JMLboro
Engager
‎09-15-2023 03:57 AM

I should probably add that we're very early on in our Intune configuration and deployment so there isn't a huge amount going on yet but I've tried generating some test data in the Event Hub itself. 

0 Karma
Reply

JMLboro
Engager
‎01-03-2024 04:54 AM

Turned out I'd misnamed the Event Hub Name by using the namespace instead... sorted now. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...