Solved: Re: Azure Add-on user data truncation

drobMT · ‎10-12-2020

I'm using the Azure Add-on for splunk to pull in our azure AD signin, audit and user data; all is work well for the most part with the exception of some user events (sourcetype="azure:aad:user") seem to have truncated json and therefore don't parse correctly.

Is there a limit setting for this that can remediate this?

richgalloway · ‎10-13-2020

You should be able to change the truncation in the app's local/props.conf file.

[azure:aad:user]
TRUNCATE = some big enough number

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-13-2020

You should be able to change the truncation in the app's local/props.conf file.

[azure:aad:user]
TRUNCATE = some big enough number

---
If this reply helps you, Karma would be appreciated.

drobMT · ‎10-13-2020

Thanks! I added a /local/props.conf with

[azure:aad:user]
TRUNCATE = 20000

and that worked.

I found by default that it was truncating at 10000. So i guessed and used 20000; that seemed to work.

I then searched the most recent data pull for raw events that didn't match (looking for events without the closing "}" at the end of the JSON event).

index=azuread sourcetype="azure:aad:user"  
| regex  _raw!="\}$"

When nothing matched I knew I was big enough. So I verified with

index=azuread sourcetype="azure:aad:user" 
| eval CharCount=len(_raw) 
| stats max(CharCount) as maxCharCount

and found my largest event (user profile) was just under 16000 characters, so 20k gives me some margin of error.

Thanks for your help!

drobMT · ‎10-13-2020

I'll give that a shot and see what happens! Thanks!

Azure Add-on user data truncation

field extraction

JSON

sourcetype

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services