Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is Azure Cloud Event-Hub Splunk Integration on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is Azure Cloud Event-Hub Splunk Integration only showing one sourcetype?
Currently we're getting data from Azure Cloud which sends certain logs to a event hub our customer set up. then we pull the data from the eventhub just as stated in the documentation with the ms cloud services add-on.
our problem is now that our customer wanted to see some dashboards filled out with the incoming data. normal request we thought so we installed the microsoft azure app for splunk. there we saw nothing.
after further investigation we saw two things:
- the incoming data fields are all extracted but horribly named with long strings of names
- the sourcetype for all logs (around 7 different ones) is all something like xyz_eventhub which the app understandably doesn't know and can't use.
so my question is how to fix the issue of only having one sourcetype even tho the props/transforms within the cloud services add-on should extract everything perfectly. we currently think about splitting the data with help of regex and props/transforms conf into the needed sourcetypes but I'm like "why the frick doesn't it work in the first place? I mean the vendor is microsoft and not a third party no-name"
glad for any ideas guys!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may use Splunk Add-on for Microsoft Cloud Services https://splunkbase.splunk.com/app/3110/ in version 4.3.3+ (loops body.records now) and then use Microsoft Cloud Services Event Hub True Fashion Add-on for Splunk https://splunkbase.splunk.com/app/6508/
Your Azure Event hub message body nesting is completely gone now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
didn't see the answer, I'll try it out thanks a lot 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
