Unable to receive data from Splunk add-on for Micr...

nithin204 · ‎01-30-2023

Hi Splunkers, We have a splunk HF on Azure and we have installed the add-on for Microsoft cloud services on the HF. I am able to connect to the storage account on Azure from the connection section with a SAS token.

When I have created the inputs to collect the data from the blobs in the storage account, I don't see any data coming into splunk. I have tried leaving the blob filed empty and added wildcard(*) but still I don't see any data.

The only error message that I see in the corresponding logs is the "AuthorizationResourceTypeMismatch" error. Not really sure what the error means and what permissions needs to be changed. Has anyone faced this issue? Can someone please help

shivanshu1593 · ‎02-01-2023

What are the internal logs saying for this add-on in the _internal index. If you can share the error messages, we can help you find the solution.

For the error that you shared "AuthorizationResourceTypeMismatch", it usually indicates that credentials that you gave Splunk to connect to Azure do not have the authorization to perform the said operation. You may want to give it more permissions.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

Unable to receive data from Splunk add-on for Microsoft cloud service

heavy forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?