All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Azure Add on for Splunk no longer pulling event hub data

junshi
Explorer
‎01-28-2021 11:29 AM

Logs have been working fine until this week, now I get the error:

 

 

ERROR pid=15289 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-signinlogs, resource: 3. Detail: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

ErrorCodes.InternalServerError: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

 

Also seeing these errors around the same time:

ERROR pid=48797 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-auditlogs, resource: 2. Detail: ('Connection aborted.', BadStatusLine("''",))

This is happening for multiple hubs?

Azure App v2.1.0

Spunk v7.3.3

@jconger !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

junshi
Explorer
‎02-18-2021 07:52 AM

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

View solution in original post

Reply
Solved! Jump to solution
Solution

junshi
Explorer
‎02-18-2021 07:52 AM

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

Reply
Solved! Jump to solution

pabaph
Engager
‎04-29-2021 01:23 AM

Hi junsi,

We are facing the same issue in one project with that particular TA. Which is the file where you modified that parameter? Thanks in advance.

Best regards.

0 Karma
Reply
Solved! Jump to solution

junshi
Explorer
‎04-29-2021 06:13 AM

You can get to the setting within the App.

Simply click on the INPUTS tab, then select your (EventHub) input.

Click EDIT.

The Max Batch settings are at the bottom of the window!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...