Splunk Search

Splunk and Azure SQL audit via Event Hub


I'm not sure how to even troubleshoot this.

A few weeks ago, we started a dropoff in events into splunk.   We are sending Azure SQL Server audit logs via event hub picked up by Azure Add-on for Splunk.   our traffic has NOT changed.   Our HF has not changed.

I can't see my activity anymore (a month ago i saw everything I did).   Now, i have no visibility to my traffic.   I am seeing traffic from web servers and some other users, but not sure i trust it now.   There has been a drop off in events.

What can I do to troubleshoot what is going on here?  I can turn on verbose logging, but since i can't throttle or specify what is getting logged (server log, not db log), it would be 000s of messages in a very heavily used database.


Labels (1)
Tags (1)
0 Karma


Azure Event Hub connectivity was recently deprecated in the Azure Add-on for Splunk. That functionality has been moved to the Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/). Not saying there isn't another issue causing the drop-off, but it might be worth investigating moving that Event Hub connection to the other add-on.

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...