2 things to check. 1 - I've seen instances where firewall devices inject private cert on outbound traffic causing error messages like this.  Adding an exception for the Splunk forwarder resolved the issue. 2 - if you are using self-signed or internal certs, you may need to add the cert to the add-on's trust list. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/lib/certifi Edit cacert.pem file Append the contents of your root certificate to this file Restart Splunk ... View more

The Message Trace input requires an additional step that isn't needed for the other inputs.  Did you add the Azure AD app registration to one of the following IAM roles? Exchange Administrator Global Administrator Global Reader role (recommended) https://docs.splunk.com/Documentation/AddOns/released/MSO365/Configureinputmessagetrace ... View more

To get Microsoft Defender XDR data into Splunk, use the Splunk Add-on for Microsoft Security => https://splunkbase.splunk.com/app/6207 All the Microsft Defender XDR incidents, alerts, entities, evidence, etc. are collected by this add-on. ... View more

Where are you applying the Event Hubs Data Receiver role?  I usually apply it at the Subscription level so that any other namespaces created in the same subscription will inherit the necessary permissions.  There is a walkthrough here (Step 4) => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data The SSL error you are getting may be a private certificate in the certificate chain.  I have also seen similar issues when a network device injects a private cert in the header in outbound traffic. ... View more

The best way is to send your Microsoft Entra ID (formerly Azure AD) data to an event hub.  Then, use the Splunk Add-on for Microsoft Cloud Services to ingest the data (hint: use the azure:monitor:aad sourcetype).  Here's a Lantern article for setting up the add-on => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub_data   Alternatively, you can use Splunk Add-on for Microsoft Azure.  Use the "Azure Active Directory Interactive Sign-ins" input to get the data.  Depending on your environment size, you may hit some throttling limitations with the REST API this add-on uses => https://github.com/splunk/splunk-add-on-microsoft-azure/wiki/Configure-Azure-Active-Directory-inputs-for-the-Splunk-Add-on-for-Microsoft-Azure#throttling-guidance ... View more

Install the Splunk Add-on for Microsoft Cloud Services and configure the Azure Resource input.  Choose "Snapshot Data" as the resource type (see screenshot).   ... View more

Install the Splunk Add-on for Microsoft Cloud Services and configure the Azure Resource input.  Choose "Disk Data" as the resource type (see screenshot). Then, you can use this search to find unattached (orphaned) disks: index=main sourcetype="mscs:resource:disk" properties.diskState="unattached"     ... View more

I can confirm that the checkpoint data is stored in the KV Store on the forwarder.  The checkpoint is the last timestamp retrieved from the Azure REST API.  So if you use a new forwarder, the data will be ingested again (duplicate data). ... View more

Another option is to use Microsoft Visual Studio Code ( https://code.visualstudio.com/ ).  VSCode lets you find/replace text in multiple files. While I'm here, I'll add a shameless plug for the Splunk VSCode extension ( https://marketplace.visualstudio.com/items?itemName=Splunk.splunk ).  The extension will provide IntelliSense for .conf files, it has snippets for common configurations, provides a debug mechanism for those who code on top of Splunk, and more. ... View more

In the screenshot above, the API token is the value to use for the "Cloud App Security Token". ... View more

It's possible to do this type of thing in the UI too.  Go to Settings > Source Types > choose the sourcetype > Advanced > New setting > Save ... View more

TL;DR = the last three parameters (Cloud App Security Token, Tenant Subdomain, and Tenant Data Center) are only used by the Cloud Application Security Input.  If you do not plan on using that input in the add-on, you can leave those fields blank.  If you do plan on using that input, here is a quick how-to about getting the needed values: Log on to the Cloud App Security portal https://portal.cloudappsecurity.com/ Once logged in, go to Settings > Security extensions Click the Add token button Give the token a name and click Generate The token will be displayed.  This is the only time the token will be displayed by the way. Copy the token, tenant subdomain (splunkpartner in my case), and data center (us3 in my case).   The first three parameters (Tenant ID, Client ID, and Client Secret) are used by the following inputs: Management Activity Service Status Service Message Graph API The Microsoft 365 App has a good walkthrough about creating the Azure AD application registration and assigning the necessary permissions (it is in the Help > Setup Guide menu in the app).  If you are configuring additional Microsoft Cloud add-ons, here is a good reference for the necessary permissions needed along with sourcetypes and APIs used => http://bit.ly/Splunk_Azure_Permissions   ... View more

It would be helpful to post your dashboard's XML. ... View more

You should not need the condition since the done event handler fires when the job is, well, done... Here is an example: <form> <label>Start a search after another search finishes</label> <description>This dashboard demonstrates how to start a second search after a primary search finishes. This is accomplished by using the &lt;done&gt; event handler in the &lt;search&gt; element.</description> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-48h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Primary Search</title> <table> <search> <query>index=_internal sourcetype=splunkd | table host source sourcetype</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <sampleRatio>1</sampleRatio> <done> <set token="start">$job.earliestTime$</set> <set token="end">$job.latestTime$</set> </done> </search> <option name="count">5</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> <panel> <title>This search happens after the above search is finished</title> <chart> <search> <query>index=_internal | timechart count as total count(eval(sourcetype="splunkd")) as "splunkd"</query> <earliest>$start$</earliest> <latest>$end$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.axisTitleY.visibility">collapsed</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.enabled">1</option> <option name="charting.axisY2.fields">splunkd</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.overlayFields">splunkd</option> <option name="charting.fieldColors">{"total": 0x639BF1, "splunkd":0xFF5A09}</option> <option name="charting.legend.masterLegend">null</option> <option name="charting.legend.placement">bottom</option> <option name="height">300</option> </chart> </panel> </row> </form> ... View more

How did you migrate? If it was a file copy rather than a new installation, your client secret may not decrypt correctly if your splunk.secret file is not the same. ... View more

Here is a snippet that currently works: require(["jquery", "splunkjs/mvc/simplexml/ready!"], function($) { $("[id^=numbers_only]") .find("input") .attr('type','number') }); ... View more

CPU, RAM, and disk is based on data ingest and search rather than license type. At 500MB per day, you can run Splunk on a laptop computer or similar. ... View more

You can use a heavy forwarder with the Splunk Add-on for Microsoft Cloud Services to read data from the blob and forward on to Splunk Cloud. This heavy forwarder could live in Azure, on your premises, or anywhere that has access to the internet. With Splunk Cloud, you could get an Input Data Manager (IDM) provisioned that could run the add-on as well. Anything specific you are looking to get from the Azure blob? Is it diagnostic data/logs from other Azure resources? If so, there may be a better/easier way to do it versus using blobs. ... View more

It looks like mixing <![CDATA[ ... ]]> with URL escaped characters is causing your problems. If you keep the CDATA, change &gt; to > and &lt; to < . Or, drop the CDATA stuff and keep the URL escaped characters. ... View more

I notice in your example event the XML syntax is wrong: <EventID>4624/EventID> It should be: <EventID>4624</EventID> Correcting that, the following regex seems to work: \<EventID\>4624\<\/EventID>.+\<Data\s+Name='LogonProcessName'>NtLmSsp|\<Data\s+Name='LogonProcessName'>NtLmSsp.+\<EventID\>4624\<\/EventID> This accounts for EventID occurring before or after the NtLmSsp LogonProcessName ... View more

The blog post mentioned centers around deploying Splunk Enterprise in Azure via the Azure Marketplace. Splunk Enterprise is a prerequisite for Enterprise Security. You can use the Azure Marketplace deployment to first deploy Splunk and then install Enterprise Security if you like. There are some things to think about when deploying Splunk in Azure though. Things like managed disks, availability sets, instance size, etc. A white paper is available if you want to look at some of those details. This white paper details deploying Splunk in Azure manually instead of using the Azure Marketplace method. ... View more

Are you using tokens to accomplish this? Posting your dashboard source would be helpful. ... View more

Here is a good walkthrough for getting blob and table data into Splunk -> https://www.splunk.com/blog/2017/08/18/splunking-microsoft-cloud-data-part-2.html ... View more