Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Microsoft Azure Active Directory Reporting Add-on for Splunk not retrieving all events.

GRMcCauley
Explorer
‎10-22-2018 03:44 PM

We have an issue with the Microsoft Azure Active Directory Reporting Add-on for Splunk where it's not retrieving all the signin events.

We currently have our interval set at 60 seconds. We can turn up logging to debug and watch the log and the AzureAD Portal side by side. Occationally, the addon runs but returns 0 events even though we can see a new event in the portal. To one up this, we can also run the same API query with Postman and get the new events, so I'm pretty sure the issue is on the addon side and not the api side.

I would say that this isn't a big deal since it didn't update the checkpoint (since it didn't find any events), it should find the event on the next run. NOT! Even on the next run it's not finding the event. Eventually, we'll get a new signing and the addon will get that event and completely skip the missed event. In the last 20 minutes, I've had 15 signin events in the AzureAD Portal and querying API via Postman, but I only have 8 signin events in Splunk.

Has anyone else experienced similiar?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...