@Knightrider1234  I found a solution. I searched and couldn't find an answer so I will post this here for anyone else that is experiencing the issue above. I initially started with the Microsoft Azure Add-on for Splunk. I found "The Event Hub input has been deprecated in this add-on. Please use the Splunk supported Splunk Add-on for Microsoft Cloud Services to ingest Event Hub data" on the inputs page of the app. I then figured out the difference: Microsoft Azure Add on for Splunk (now deprecated) -> ingests Eventhubs through old ClientSecret String Splunk Add-on for Microsoft Cloud Services -> ingests Eventhubs through modern Azure-AD app with Reader rights into eventhub You must navigate to Subscriptions -> your subscription -> Access Control (IAM) -> Select (+Add) and give the Splunk app Azure Event Hubs Data Receiver. In the Event Hub set-up of the Splunk Add-on for Microsoft Cloud Services give the FQDN only (e.g. lab-eventhub.servicebus.windows.net) and provide the event-hub name in the following field. This worked for me and I immediately started getting logs in. Hope this helps! ... View more

it should be daily indexed rate as per Splunk docs and not ingested rate ... View more

@bolaojewale Ok good to know. Thanks for the quick response.  ... View more