This was the trick. Thank you!

@david_panych @maciep

You might be interested in this link we found too

@dpanych

sorry @david for multiple tags. See you at the next UG meeting maybe, checking flights now

I definitely appreciate the effort. If there are upcoming changes to the way data is pulled this probably doesn't matter too much.

I tried escaping the pipe and the quotes and always got the same error. Yes that is it in full above from the splunk GUI. Here is the lines directly from the oms_inputs.log file:

2018-06-27 16:46:12,069 ERROR pid=4584 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events
    input_module.collect_events(self, ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 86, in collect_events
    search_id = data["id"].split("/")
KeyError: 'id'

Any idea if there is a way to see the query as submitted to OMS using the correlation_id? My OMS guy wasn't aware of one.

Yes on the correlationid but it’s in azure audit logs iirc. However it’s more to the tune of “this GET request was made using this account”. Nothing diagnostic / debugish to my knowledge. I very well could be wrong though.

Is there anything happening in index=_internal sourcetype=splunk_python ?

If not, I’m happy to spend an hour or so on webex to help. Just needs to be next week and after 5pm eastern if possible. Or before 9am. Can’t work on it when I’m obligated to other tasks.

Send me an email and we’ll work it out: mbentley rtptech.com. @ removed to prevent spam.

index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)

Here’s the best search for debugging this thing.