All Apps and Add-ons

Unable to receive the logs from Microsoft Azure Active Directory Reporting Add-on for Splunk 1.1.0

New Member


In one of my setup, I have previous version of App, previous version app is unable to collect the complete sigin-in logs that is visible in Azure Portal.

As I noticed new version of app was released, Installed the new version of App in another setup,configured the inputs(used same config key from working setup) noticed the below error logs,

Kindly help to fix the issue

2019-04-25 10:27:56,177 DEBUG pid=6441 tid=MainThread | Next URL (@odata.nextLink):$orderby=createdDateTime&$filter=createdDateTime+...
2019-04-25 10:27:56,178 DEBUG pid=6441 tid=MainThread | Starting new HTTPS connection (1):

0 Karma


Hi @subbarayudu,

When I faced the same problem, I could improve the collection rate to over 99% by modifying the API calls that collect events (Sign-ins and Audit Logs) as follows.

ex) When the delay time is 5 minutes

50     event_source = "tenant_id:%s" % tenant_id
51     query_date = get_start_date(helper, check_point_key)
52     query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
53     access_token = azauth.get_access_token(client_id, client_secret, tenant_id)
55     if(access_token):
56         url = "$orderby=activityDateTime&$filter=activityDateTime+gt+%s)+and+(activityDateTime+le+%s)" % (query_date, query_date_end)
57         audit_events = azutils.get_items(helper, access_token, url)


52     event_source = "tenant_id:%s" % tenant_id
53     query_date = get_start_date(helper, check_point_key)
54     query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
55     access_token = azauth.get_access_token(client_id, client_secret, tenant_id)
57     if(access_token):
58         url = "$orderby=createdDateTime&$filter=(createdDateTime+gt+%s)+and+(createdDateTime+le+%s)" % (query_date, query_date_end)
59         sign_ins = azutils.get_items(helper, access_token, url)

There is no need to restart the Splunk service after fixing.
The corrected API call will be executed at the next collection timing, and events from the checkpoint up to 5 minutes before the acquisition timing will be collected.

If you want to check that the modified API call is being executed, you can check it from the DEBUG log of App.

ex) Sign-ins

2019-05-31 15:09:23,282 DEBUG pid=32155 tid=MainThread | "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=(createdDateTime+gt+2019-05-31T05:58:52.8129242Z)+and+(createdDateTime+le+2019-05-31T06:04:22.013821Z) HTTP/1.1" 200 None

Splunk Employee
Splunk Employee

Hi @subbarayudu,

The issue is most likely related to the MS API itself. As a test, if you could make a call to the API separately and download the logs locally, you can then ingest these into Splunk in a separate test_index and compare against the results you have.

This Splunk Answer thread explains the situation:

Here’s the "gotcha" though - Microsoft may delay message trace logs up to 24 hours. During this delay, message traces may come out of sequence. Continuing our example above, a message trace log with a time stamp of 1:29 PM may have come in delayed. If we are already requesting data from 1:30 PM to 2:30 PM, we willl miss this delayed event. The delay throttle makes sure we don’t go too fast and potentially miss events.

And it's also worth checking:

Hopefully this helps explain what you're seeing. If not, please do let us know.

0 Karma

New Member

Hi rkantamaneni,

We do noticed splunk is unable to receive the complete logs from Azure Portal, Logs that are available in Azure Sigin logs are not forwarded to splunk, As part of validation, we searched for a user log in Azure portal and able to view activity in azure portal, but same log is not available in splunk, As part of troubleshooting we noticed during logs are being forwarded to splunk, but specific user log is not available in splunk, in splunk we even queried with Co-relation ID as well. Kindly help to address the issue.


0 Karma

Splunk Employee
Splunk Employee

Hi @subbarayudu ,

>> previous version app is unable to collect the complete sigin-in logs that is visible in Azure Portal.

Yes, the APIs in the newer version of the app were switched over to the MS Graph API so it matches what you see in the Azure Portal vs. before.

>> 2019-04-25 10:27:56,177 DEBUG

The messages you posted seem to be DEBUG level messages rather than ERROR messages. The DEBUG messages are from the App for whatever the App makers / developer(s) decide to print out to follow the internal actions of the App. The current messages don't seem to be representative of any kind of error, were these the right messages you meant to post?

@jconger can correct me if I missed anything.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...