Getting Data In

Azure Add-on user data truncation

drobMT
Explorer

I'm using the Azure Add-on for splunk to pull in our azure AD signin, audit and user data; all is work well for the most part with the exception of some user events (sourcetype="azure:aad:user") seem to have truncated json and therefore don't parse correctly.

Is there a limit setting for this that can remediate this?

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You should be able to change the truncation in the app's local/props.conf file.

[azure:aad:user]
TRUNCATE = some big enough number
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You should be able to change the truncation in the app's local/props.conf file.

[azure:aad:user]
TRUNCATE = some big enough number
---
If this reply helps you, Karma would be appreciated.
0 Karma

drobMT
Explorer

Thanks! I added a /local/props.conf with

 

[azure:aad:user]
TRUNCATE = 20000

 

 and that worked.

I found by default that it was truncating at 10000. So i guessed and used 20000; that seemed to work.

I then searched the most recent data pull for raw events that didn't match (looking for events without the closing "}" at the end of the JSON event).

 

index=azuread sourcetype="azure:aad:user"  
| regex  _raw!="\}$"

 

 

When nothing matched I knew I was big enough. So I verified with

 

index=azuread sourcetype="azure:aad:user" 
| eval CharCount=len(_raw) 
| stats max(CharCount) as maxCharCount

 

and found my largest event (user profile) was just under 16000 characters, so 20k gives me some margin of error. 

Thanks for your help!

0 Karma

drobMT
Explorer

I'll give that a shot and see what happens! Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...