All Apps and Add-ons

Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS?

payal4296
Explorer

I installed this add-on/app on Heavy Forwarder and configured inputs as:

Name: oms_test_env
Interval: 60
Index: main
Resource Group: xxxx
Workspace Name: xxxx
Subscription ID: xxxxx
Tenant ID: xxxx
Application ID: xxxx
Application ID: xxxx
Log Analytics Query: search *
Start Date: 15/08/2018 00:00:00
Event Delay/ lag Time: 15
1 Solution

493669
Super Champion

Hi @payal4296,
You should enter Workspace Name as Workspace Id

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

Single event is broken into multiple events - logs parsing issue

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

Modified Line number 91
from
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "")
to
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "").replace("\r\n","")

This will remove newlines and carriage returns if the field value is dictionary. Due to field values have dictionary and it contains new lines I could see line breaking. This change will avoid line breaking

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

one more : The TA is indexing the data with current time not with the event time
Timestamp Mapping - add below code to local/props.conf if you have installed TA on HF OR add to Indexer.

[loganalytics]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX = "TimeGenerated":"

————————————
If this helps, give a like below.
0 Karma

jkat54
SplunkTrust
SplunkTrust

Good stuff, can you create a new post for this so I can track and fold into the code if needed?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

One more: TA is not supporting multi inputs
Since your checkpoint can't differentiate input name.

Hope you consider all these changes and update the TA or I will try to complete TA which I am already working on.

————————————
If this helps, give a like below.
0 Karma

493669
Super Champion

yes I had an similar issue like I created an input and due to our internal problem ports were got disabled..then I created new input and given fetch date as old date with new index..
but in new index timestamp was from date previous input was disabled.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Please start new questions.

0 Karma

493669
Super Champion

i installed it as default and I see lag of 2 hours between event time(_time) and TimeGenerated.
although I set default lag of 15 min.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

@493669

TA is not looking for event timestamp(TimeGenerated), TA will index events with time when you fetch.

————————————
If this helps, give a like below.
0 Karma

493669
Super Champion

@thambisetty, yes TA will index events with time I fetch ...but I schedule it for 60 sec to run..so there should not be much lag...
I think @jkat54 pointed out regarding UTC...

0 Karma

dpanych
Communicator

I believe we are using UTC, according to the 'now' variable: datetime.datetime.utcnow()

0 Karma

jkat54
SplunkTrust
SplunkTrust

I think I missed a code change where we forced UTC. @dpanych

Familiar?

0 Karma

493669
Super Champion

Hi @payal4296,
You should enter Workspace Name as Workspace Id

jkat54
SplunkTrust
SplunkTrust

I just released v1.0.1 that renames Workspace Name to Workspace ID.

Thanks for reporting the bug.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...