In an attempt to bring in some additional Azure AD data we have begun using the Microsoft Azure Add-on for Splunk, however we are not seeing any results actually come back to Splunk, and not seeing any errors in collection. When enabling debug logging I can see that we are getting a http status code of 200, but a content length of 'None' 2020-03-20 19:44:33,920 DEBUG pid=62692 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-13T19%3a29%3a45.102703Z+and+activityDateTime+le+2020-03-20T19%3a22%3a45.501341Z&$skiptoken=f207127ca72cc8e1dca1f7873280c23e_326040 HTTP/1.1" 200 None And the python which generates the logs to see that the length is the final attribute of that log message in connectionpool.py:_make_request:400 log.debug("%s://%s:%s \"%s %s %s\" %s %s", self.scheme, self.host, self.port, method, url, http_version, httplib_response.status, httplib_response.length) The service continues to run and get 200 responses, and even finding the next link to go to from @odata.nextLink within the JSON returned, even though the debug logging shows no content length. 2020-03-20 19:44:34,136 DEBUG pid=62692 tid=MainThread file=base_modinput.py:log_debug:286 | _Splunk_ nextLink URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-13T19%3a29%3a45.102703Z+and+activityDateTime+le+2020-03-20T19%3a22%3a45.501341Z&$skiptoken=a05e0f88b9ed79f47b8955baefdf862c_327085 I have been able to replicate the action being used by the TA within Postman using the Microsoft Graph Collection and environment (https://docs.microsoft.com/en-us/graph/use-postman) where I can see plenty of data returned from each one of the URLs provided and I am using the exact same Azure AD application with the same client id and secret. I am trying to dig through the actual python but I have not been able to find anything in relation to causing this issue yet. ... View more

I have recently deployed the Splunk OVA for VMWare which acts as the Data Collection Node to use with the Splunk app and Add-ons for VMWare. I have followed the install and configuration instructions from the documentation which was fairly simple, but now when I go to the collection configuration page within the VMWare app I can make a successful connection, but I am left with "Username/Password are good but apps are not there" in Add-on Validation. Since this was deployed from an OVA, it should have all the apps pre-installed. As well, I have confirmed that I can see all the add-ons on the Data Collection node in /opt/splunk/etc/apps that are listed as needed in the below link. (might not show up because of low karma but is the Installation Overview for the VMWare add-ons.) http://docs.splunk.com/Documentation/AddOns/released/VMW/Installationoverview Has anyone seen something like this before or have any suggestions on what to try next? Edit: I recognized that my OVA, indexers and search heads had different versions running of the apps and add-on, so I upgraded all to the latest 3.4.1 package, but still am unfortunately seeing the same error. I had hoped the versioning difference would have solved it not finding the apps, but was not that lucky today. ... View more