08-16-2018 16:31:19.869 -0500 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" Modular input azure_activity_log://azure-event-hub-dev Error getting event hub creds: SyntaxError: Unexpected end of JSON input
Does anyone know how to fix this?
Can you post your inputs.conf?
I am not sure what you mean, the TA inputs are default. I set it up through the GUI under data inputs activity_log. Please explain which inputs I should look at. Thank you
Can you share what you used for the values in the input (be sure to anonymize the values)? This is what ends up in inputs.conf and will help troubleshoot.
Thank you for the replies.
Others have looked into this as well, and they have found a bug and abandoned the TA.
I wanted to use the azure monitor with event hub to preclude manually entering accounts and inputs for all my azure data.
Trying to automate the manual process with the API now.
btw, this TA/App only works on Splunk Enterprise instances deployed inside Azure from the Azure Marketplace and it must be version 7+
if you get it working you can then forward to wherever your main Splunk deployment is...
The add-on is not required to run inside of Azure. You can run it on Splunk 6.5+ anywhere an outbound connection can be made to Azure (on-prem, public cloud, private cloud).
I don't like the Azure Monitor from MicroSoft or the Microsoft Cloud Services App from Splunk...
Here is a method I developed for audit logs from Azure and O365 using the Log Analytics repositories.
This might work for you depending on what you are trying to get at: https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html
Also, one of my co-workers whipped up a powershell script the other day to get at some data via the API that I couldn't get in Log Analytics and he just reused my http/HEC listener to post to.
I like the reliability and simplicity of this setup much better than some of the other options available.
Thank you, we will look into this option. Yes the azure apps have been a pain.
So do you think your solution will work with an event hub in azure? Thank you
probably...if theres some way to build a little logic app to query or receive from the event hub, but if the logs are something already available in Log Analytics and/or a "Solution"+Log Analytics you can do away with the event hub entirely