I'm sending data from Azure SQL via event hub.   Been using the MS add on for splunk, which as been working pretty well, but as its EOL, trying the Splunk Add-on for Microsoft Cloud Services.   First thing i noticed is how different the logs are stored. MS Add-on json is clear. properties.server_principal_name,  properties.statement Splunk add on for MS cloud services: 2 -4 records for each event.   Takes 20=30 seconds to render in a search (index=sql). records{}.properties.server_principal_name, records{}.properties.statement.  each one will have 2-4 values in it (SQLUSER, WEBUSER, OPSUSER).   Strange thing is there will be 2-4 statments or other fields (records{}.properties.succeeded (true,true, true,true).   wHy 3 users and 4 success? I'm trying to query this thing to get certain traffic such as records{}.properties.server_principal_name="webuser" | table records{}.properties.statement and all records returned but the statements returned are multiple, or simply not statements from WEBUSER.   My source is correct for audit logs mcsc:azure:eventhub Is this the way is supposed to act and if so, can i get any pointers on how to spath query this thing working given if i wanted only statements from WEBUSER and that could be the 0,1,2,3 element in a nest on each event?   ... View more

I was using the MS Azure add-on for splunk.  Trying to switch to Splunk Add-on for MS cloud services.   One thing i noticed is that the event hub i was using is appending event hub events into the same splunk event.   Ie, instead of 8 events in Event Hub, and 8 events in splunk (which i saw in ms azure add-on for splunk), I get 2 events of 4 body.records[].service_principal_name.    The # of appended events is related to the # of partitiions, however, this thing doesn't seem to work w/ 1 partition.  Keep getting can not find partition 0 of 0 when the eventhub is 1 partition.  Formatting is TERRIBLE and it takes 30 seconds to render the 1st record in a search since raw so large. Any ideas what's going on here?   This supposed to be by design? ... View more

I'm not sure how to even troubleshoot this. A few weeks ago, we started a dropoff in events into splunk.   We are sending Azure SQL Server audit logs via event hub picked up by Azure Add-on for Splunk.   our traffic has NOT changed.   Our HF has not changed. I can't see my activity anymore (a month ago i saw everything I did).   Now, i have no visibility to my traffic.   I am seeing traffic from web servers and some other users, but not sure i trust it now.   There has been a drop off in events. What can I do to troubleshoot what is going on here?  I can turn on verbose logging, but since i can't throttle or specify what is getting logged (server log, not db log), it would be 000s of messages in a very heavily used database.   ... View more

I'm trying to produce an alert based on a user logged in w/ 2 ips within 10 minutes.   I have a way to determine if they have it, however, i would like to see the IPS addresses they had in the alert.   How can i achieve this? The following will trigger, but need to see the ips as well. index="w3logs" earliest = -10m | eval tempx = split(X_Forwarded_For,",") | eval ip=mvindex(tempx,0) | stats dc(ip) as dup by cs_username | where dup > 1 ... View more

I'm using the Microsoft Azure add on for splunk to read from event hub in Azure.   I am using Splunk cloud and a heavy fowarder in Azure. Two Problems, 1st.    The data showing up is one big field of JSON.  I've tried to extract in splunk cloud, but its getting mangled. 2nd.  Can i limit this.  75% of my fields are useless and and taking up space. Can anyone help me out with either issue? I am using a heavy fwd'r.    Splunk support does tell me to use spath.   But how do i do this in parsing event hub data?   Do i need  different addon? ... View more

I"d like to send audit data through an event hub.   However, i want my heavy fwd'r to not send all fields to splunk as 75% of is will be useless and take up all my ingesting quota.  Is there an easy way to do this?  The data coming in is Azure SQL where i don't beleive i can change data going into the hub. ... View more

Has anyone had luck gathering and ingesting SQL Azure Audit logs from a blob storage?   I've seen articles on azure AD, and on NON-Azure SQL from a drive letter, but looking for something specific on loading up those pesky eml files from blob (or should i be doing something else to get the data into splunk?). ... View more