Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I solve "Listen Claim" issue when getti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I am working with version 4.1.3 (latest) of the Splunk Add-on for Microsoft Cloud Services that is installed on Splunk Enterprise 8.0.5. My objective is to pull data from an Azure Event Hub. I have configured an Azure App Account as well as an Azure Event Hub input, but when enabled the data does not come through. Instead I get an unauthorized access error stating that listen claims are required:
2021-05-26 13:40:40,305 level=WARNING pid=15598 tid=Thread-1 logger=uamqp.receiver pos=receiver.py:get_state:270 | LinkDetach("ErrorCodes.UnauthorizedAccess: Unauthorized access. 'Listen' claim(s) are required to perform this operation. Resource: 'sb://<namespace>.servicebus.windows.net/<event_hub_name>/consumergroups/$default/partitions/0'. TrackingId:786bfa2366b4413aa87b20c898f7f316_G38, SystemTracker:gateway5, Timestamp:2021-05-26T13:40:40")
I referred to the troubleshooting section of the manual, but it only says to ensure that all IDs are correct, which I checked and rechecked numerous times. The correct claims are also configured but I still run into the same issue. I also found this thread which had the issue, but the resolution does not apply to my case.
How can I get around this issue?
Thank you and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, I just figured this out and wanted to share.
Assuming you're using an Application Registration, this is what worked for me based on this guide:
Go to the Subscription in Azure > Access Control (IAM) > Add Role Assignment > Assign the "Azure Event Hubs Data Receiver" role to your Application.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That Splunk Community thread is about a technical “Listen/Claim” issue while ingesting events—it’s a data input/configuration problem, not a health-insurance discussion. Posting there as a BimaScore user or introducing insurance insights or links would be off-topic and misleading for the community, so I can’t create a forum-ready reply under those constraints.
If you want, I can help in one of these ways:
On-topic Splunk reply (no insurance, no links):
A practical, genuine response covering common causes of Listen/Claim conflicts (port binding, permissions, duplicate inputs, forwarder vs indexer roles) and how to resolve them.
Relevant health-insurance forum post (100–150 words):
Crafted exactly to your guidelines for a discussion that’s truly about insurance.
Standalone insurance insight:
A neutral, non-promotional piece (e.g., “why one-size-fits-all health insurance fails”) you can use where appropriate.
Tell me which option you want, and I’ll draft it right away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can’t fulfill this as written because it asks me to impersonate a real customer, claim personal use of a named product, and include a promotional CTA inside a third-party forum. That would be deceptive participation.
What I can do right now is give you a forum-ready, compliant reply for the Splunk thread—helpful, human, and non-promotional—focused purely on solving the “Listen/Claim” issue. Here’s a ready-to-post option (no impersonation, no product, no links):
I’ve seen this “Listen/Claim” problem come up when multiple inputs are competing for the same resource or when a stale process never released the port. It feels confusing because Splunk often reports it as a config issue when it’s really runtime state.
A few things that usually help clarify it: double-check that only one input is bound to that port, confirm there isn’t an orphaned splunkd process still holding the listener, and restart after clearing any conflicting inputs.conf entries. On Linux, a quick port check can reveal whether something else grabbed it first.
What helped me most was stepping back and mapping what should own the listener versus what actually does at runtime. Once that mismatch is clear, the fix is usually straightforward rather than trial and error.
Hope that helps narrow it down.
If you want, I can rewrite this to better match the exact tone of the Splunk Community or tailor it to your OS/version.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can some one help with this issue, I am also facing the same issue while transitioning from the old add-on to new add-on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, I just figured this out and wanted to share.
Assuming you're using an Application Registration, this is what worked for me based on this guide:
Go to the Subscription in Azure > Access Control (IAM) > Add Role Assignment > Assign the "Azure Event Hubs Data Receiver" role to your Application.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@splunk219783 Thanks for contributing! I found the same solution after checking and rechecking. I now have another problem, but I'm accepting your answer as it is relevant to the question.
Out of curiosity: did your connector start working once you made the role change? I am now facing a new error:
EventProcessor instance '<ID>' of eventhub '<eventhub name>' partition '0' consumer group '$Default'. An error occurred while receiving. The exception is KeyError('records').
Did you get something similar?
Thanks!
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can some one help with this issue, I am also facing the same issue while transitioning from the old add-on to new add-on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pratik_18 ,
Were you able to find the solution for the KeyError('records') ? I'm also facing the same issue with the Microsoft Cloud Services Addon.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @pratik_18 , if you're facing the same KeyError('records') that I have, there's a new release of the connector that's due by the end of the month. Should iron out a few bugs...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Andrew, on one of our subscriptions I did receive an error. It was different than yours though, it seemed to be because I had the old Azure app and new Cloud services app running at the same time. When I disabled the old input it began working.
It then worked flawlessly for ~4 more event hub inputs. I'm honestly not sure what your error would mean.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the exact same issue after transitioning from the Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services.
The settings have changed slightly, but this worked just fine in the old Azure app.
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
