All Apps and Add-ons

Why am I getting a "Winsock Error 10053" while using " Microsoft Log Analytics Add-on(Formerly Know as OMS?

payal4296
Explorer

I installed this add-on/app on Heavy Forwarder and configured inputs as:

Name: oms_test_env
Interval: 60
Index: main
Resource Group: xxxx
Workspace Name: xxxx
Subscription ID: xxxxx
Tenant ID: xxxx
Application ID: xxxx
Application ID: xxxx
Log Analytics Query: search *
Start Date: 15/08/2018 00:00:00
Event Delay/ lag Time: 15
1 Solution

493669
Super Champion

Hi @payal4296,
You should enter Workspace Name as Workspace Id

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

Single event is broken into multiple events - logs parsing issue

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

Modified Line number 91
from
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "")
to
value = str(data["tables"][0]["rows"][i][n]).replace('"',"'").replace("\", "\\").replace("None", "").replace("\r\n","")

This will remove newlines and carriage returns if the field value is dictionary. Due to field values have dictionary and it contains new lines I could see line breaking. This change will avoid line breaking

————————————
If this helps, give a like below.
0 Karma

thambisetty
SplunkTrust
SplunkTrust

one more : The TA is indexing the data with current time not with the event time
Timestamp Mapping - add below code to local/props.conf if you have installed TA on HF OR add to Indexer.

[loganalytics]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX = "TimeGenerated":"

————————————
If this helps, give a like below.
0 Karma

jkat54
SplunkTrust
SplunkTrust

Good stuff, can you create a new post for this so I can track and fold into the code if needed?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

One more: TA is not supporting multi inputs
Since your checkpoint can't differentiate input name.

Hope you consider all these changes and update the TA or I will try to complete TA which I am already working on.

————————————
If this helps, give a like below.
0 Karma

493669
Super Champion

yes I had an similar issue like I created an input and due to our internal problem ports were got disabled..then I created new input and given fetch date as old date with new index..
but in new index timestamp was from date previous input was disabled.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Please start new questions.

0 Karma

493669
Super Champion

i installed it as default and I see lag of 2 hours between event time(_time) and TimeGenerated.
although I set default lag of 15 min.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

@493669

TA is not looking for event timestamp(TimeGenerated), TA will index events with time when you fetch.

————————————
If this helps, give a like below.
0 Karma

493669
Super Champion

@thambisetty, yes TA will index events with time I fetch ...but I schedule it for 60 sec to run..so there should not be much lag...
I think @jkat54 pointed out regarding UTC...

0 Karma

dpanych
Communicator

I believe we are using UTC, according to the 'now' variable: datetime.datetime.utcnow()

0 Karma

jkat54
SplunkTrust
SplunkTrust

I think I missed a code change where we forced UTC. @dpanych

Familiar?

0 Karma

493669
Super Champion

Hi @payal4296,
You should enter Workspace Name as Workspace Id

jkat54
SplunkTrust
SplunkTrust

I just released v1.0.1 that renames Workspace Name to Workspace ID.

Thanks for reporting the bug.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...