Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

pull Azure event hub logs to Splunk

splunklearner
Communicator
‎04-11-2025 08:02 AM

How can we pull Azure event hub logs to Splunk? I check that we cannot use HEC configuration for pulling the data. When I was checking for apps, there are 3-4 apps present for this: but I have found most of them are not supported now and older version. I found this app - https://splunkbase.splunk.com/app/3110. Not sure how to configure this? Is there any other add-on or approach we can follow to pull event hubs Azure logs to Splunk? Any leads would be appreciated.

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-11-2025 02:06 PM

Hi @splunklearner 

If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app.

This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2025 09:35 AM

@livehybrid's answer is a good one.

In general, HEC cannot pull data from any source.  It is merely a receiver for data pushed to Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

splunklearner
Communicator
‎04-11-2025 09:38 AM

@richgalloway according to you what will be the best approach for us? Ours is Splunk enterprise and our Splunk instances residing on AWS cloud. Azure team confirmed that pushing is not possible. 

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-11-2025 02:06 PM

Hi @splunklearner 

If you arent on Splunk Cloud and you're team say it isnt possible (for whatever reason) to use Push based approach then I would recommend using the Splunk Add-on for Microsoft Cloud Services app.

This aligns with the recommendations here: https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2025 11:50 AM

Install the app you cited in the OP on a heavy forwarder and use that to pull data from Azure using API calls.  The HF will forward the data to Splunk.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-11-2025 09:00 AM

Hi @splunklearner 

The docs state "As a general rule, Data Manager is the recommended method of data ingestion for Splunk Cloud customers for supported data sources where available" Are you using Splunk Cloud?

Its also worth checking the following Lantern docs https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub... as an alternative - this uses Splunk Add-on for Microsoft Cloud Services which you've already referrenced.

Either of these options are good contenders. Alternatively there is a third option, which is to use HEC and Azure Functions to push the data. Check out https://github.com/splunk/azure-functions-splunk/blob/master/event-hubs-hec/README.md for more information around this. 

Ultimately the best option for you depends on a number of factors - such as Cloud/Enterprise but also if you have the engineering support for things like Azure Functions etc.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Solved! Jump to solution

splunklearner
Communicator
‎04-11-2025 09:36 AM

@livehybrid  Splunk enterprise not Splunk Cloud.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...