I added the Input via the GUI and have triple checked the details. Still, I get the errors in splunkd.log below:
======
10-22-2018 06:21:36.977 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" Modular input azure_diagnostic_logs://AMDL No connection on hub: insights-logs-alerts. Is there a network route to the endpoint?
10-22-2018 06:22:14.105 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" File "mask_secret.py", line 31, in
10-22-2018 06:22:14.105 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" import splunklib.client as client
10-22-2018 06:22:14.105 +0000 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" ImportError: No module named splunklib.client
=========================
Is it a network or an application issue? The Heavy Forwarder that this TA is installed on 'should' have the necessary outbound permissions. I presume you don't have to modify any inbound ACLs on the Eventhub?
... View more