Splunk Search

Splunk and Azure SQL audit via Event Hub


I'm not sure how to even troubleshoot this.

A few weeks ago, we started a dropoff in events into splunk.   We are sending Azure SQL Server audit logs via event hub picked up by Azure Add-on for Splunk.   our traffic has NOT changed.   Our HF has not changed.

I can't see my activity anymore (a month ago i saw everything I did).   Now, i have no visibility to my traffic.   I am seeing traffic from web servers and some other users, but not sure i trust it now.   There has been a drop off in events.

What can I do to troubleshoot what is going on here?  I can turn on verbose logging, but since i can't throttle or specify what is getting logged (server log, not db log), it would be 000s of messages in a very heavily used database.


Labels (1)
Tags (1)
0 Karma


Azure Event Hub connectivity was recently deprecated in the Azure Add-on for Splunk. That functionality has been moved to the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/). Not saying there isn't another issue causing the drop-off, but it might be worth investigating moving that Event Hub connection to the other add-on.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...