Getting Data In

Splunk Add-on for Microsoft cloud services


Guys, could you please shed some light here?

I have configured azure api management to stream events to event hub and Spunk add-on to connect to event hub. I am receiving the below error.

I have given the Azure Event hub data receiver role to the IAM account used in the integratiion.

2021-05-31 14:58:33,763 level=ERROR pid=9469 tid=MainThread logger=__main__ | datainput="myapim" start_time=1622473113 | message="Data input was interrupted by an unhandled exception." Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/lib/splunksdc/", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/", line 636, in run consumer = self._create_event_hub_consumer(workspace, credential, proxy) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/", line 592, in _create_event_hub_consumer args.consumer_group, File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/", line 215, in open checkpoint = SharedLocalCheckpoint(fullname) File "/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/bin/", line 87, in __init__ self._fd =, os.O_RDWR | os.O_CREAT) FileNotFoundError: [Errno 2] No such file or directory: '/opt/splunk/var/lib/splunk/modinputs/mscs_azure_event_hub/Endpoint=sb://;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=xxxxxxxxx-myeventhub-myconsumergroup.v1.ckpt'
Labels (1)


@Knightrider1234  I found a solution. I searched and couldn't find an answer so I will post this here for anyone else that is experiencing the issue above.
I initially started with the Microsoft Azure Add-on for Splunk. I found "The Event Hub input has been deprecated in this add-on. Please use the Splunk supported Splunk Add-on for Microsoft Cloud Services to ingest Event Hub data" on the inputs page of the app.

I then figured out the difference:

Microsoft Azure Add on for Splunk (now deprecated)
-> ingests Eventhubs through old ClientSecret String

Splunk Add-on for Microsoft Cloud Services
-> ingests Eventhubs through modern Azure-AD app with Reader rights into eventhub

You must navigate to Subscriptions -> your subscription -> Access Control (IAM) -> Select (+Add) and give the Splunk app Azure Event Hubs Data Receiver. In the Event Hub set-up of the Splunk Add-on for Microsoft Cloud Services give the FQDN only (e.g. and provide the event-hub name in the following field. This worked for me and I immediately started getting logs in.

Hope this helps!

0 Karma


Wondering if someone have resolved this issue already as I am having same issue.

0 Karma


I am having the same issue. 

0 Karma


Hello ... Did you ever get this resolved? I'm running into the same issue. It seems to have something to do with the event_hub_namespace parameter in the config file, but I've not been successful at figuring out what the problem is.


Thank you.

0 Karma


Hi gazoscreek,

Sorry for the late response. I am still having the same issue.  

I am waiting for someone from this community to shed some light.

0 Karma


Hey all, I am experiencing the same issue. @KnightRider @gazoscreek any update or working usecase?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...