Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pull Azure event hub logs to Splunk

splunklearner
Communicator
‎04-11-2025 08:02 AM

How can we pull Azure event hub logs to Splunk? I check that we cannot use HEC configuration for pulling the data. When I was checking for apps, there are 3-4 apps present for this: but I have found most of them are not supported now and older version. I found this app - https://splunkbase.splunk.com/app/3110. Not sure how to configure this? Is there any other add-on or approach we can follow to pull event hubs Azure logs to Splunk? Any leads would be appreciated.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎04-11-2025 02:06 PM

Hi @splunklearner 

If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app.

This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2025 09:35 AM

@livehybrid's answer is a good one.

In general, HEC cannot pull data from any source.  It is merely a receiver for data pushed to Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

splunklearner
Communicator
‎04-11-2025 09:38 AM

@richgalloway according to you what will be the best approach for us? Ours is Splunk enterprise and our Splunk instances residing on AWS cloud. Azure team confirmed that pushing is not possible. 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎04-11-2025 02:06 PM

Hi @splunklearner 

If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app.

This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2025 11:50 AM

Install the app you cited in the OP on a heavy forwarder and use that to pull data from Azure using API calls.  The HF will forward the data to Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

livehybrid
Super Champion
‎04-11-2025 09:00 AM

Hi @splunklearner 

The docs state "As a general rule, Data Manager is the recommended method of data ingestion for Splunk Cloud customers for supported data sources where available" Are you using Splunk Cloud?

Its also worth checking the following Lantern docs https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub... as an alternative - this uses Splunk Add-on for Microsoft Cloud Services which you've already referrenced.

Either of these options are good contenders. Alternatively there is a third option, which is to use HEC and Azure Functions to push the data. Check out https://github.com/splunk/azure-functions-splunk/blob/master/event-hubs-hec/README.md for more information around this. 

Ultimately the best option for you depends on a number of factors - such as Cloud/Enterprise but also if you have the engineering support for things like Azure Functions etc.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

splunklearner
Communicator
‎04-11-2025 09:36 AM

@livehybrid  Splunk enterprise not Splunk Cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top