Hello Vatsal,

Thanks for the response.  I don't see any errors in the Splunkd log.  I will reach out to Splunk support for assistance.

Best regards.

Hello,

I'm facing the same issue. do you use event hub before the data goes to splunk? at least that's what was written in many documentations that this is necessary. 

anyways, the problem results in the use of event hub. since event hub is only giving one sourcetype for all the data that it is processing, something like "xyz_eventhub" so the azure app can't handle this since it is looking for sourcetypes for health report, signins etc. 

as far as I understand I have to split all the incoming data in props/transforms according to specific markers, such as category of the event and then regex it to work. 

maybe that's the way you have to go too? if there is another way, I'm all ears btw. 

cheers,

Anyone get this fixed ? I have the same issues 

hi, we are facing same issue - no errors, everything looks clean, all config looks ok and still no logs are being ingested. I wonder if that even hub is really necessary for this add-on to work? I am really looking to pull data via API... and for now without event hub. Anyone has any ideas where do we start digging? Could that be anything at Azure side that we are missing? Maybe permissions or something?  

@avoelkany leads on the mscs:azure:eventhub single sourcetype data feed?