Splunk Enterprise

TA-ms-loganalytics add-on on heavy forwarder

monicapandrakul
New Member
I have installed TA-ms-loganalytics on my heavy forwarder and from this add-on i am getting various logs from my azure workspace into splunk. Now i am facing a problem where the event count in splunk varies from what i have in my azure LA worspace. this is for Activity Logs. 
On Azure LA worspace Activity Logs count : 90+
On Splunk Activity Logs count : 6-8 only
 
is it the add on is breaking at some point? or any blocker in azure end? Kindly help.
Labels (1)
Tags (1)
0 Karma

jkat54
SplunkTrust
SplunkTrust

Please share your inputs.conf config, minus the sensitive details😉

0 Karma

monicapandrakul
New Member
[LA://Source_AzureActivity]
application_id = #################
application_key = ***********
event_delay_lag_time = 15
index = myazureactivity_index
sourcetype = myazureactivity_sourcetype
interval = 300
log_analytics_query = AzureActivity | where ResourceGroup != ""
resource_group = TTTTTTTTTTT
start_date = 01/01/2019 00:00:00
subscription_id = ###########################
tenant_id = **********************************
workspace_id = ###################################
disabled = 0
 
we have similar configuration for rest of the inputs, but i am seeing less coung only for azure activity
0 Karma

monicapandrakul
New Member

@jkat54  

0 Karma
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...