All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Azure Monitor - error message

Log_wrangler
Builder
‎08-16-2018 02:44 PM

08-16-2018 16:31:19.869 -0500 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Azure_Monitor/bin/azure_activity_log.sh" Modular input azure_activity_log://azure-event-hub-dev Error getting event hub creds: SyntaxError: Unexpected end of JSON input

Does anyone know how to fix this?

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎08-16-2018 03:48 PM

Can you post your inputs.conf?

0 Karma
Reply

Log_wrangler
Builder
‎08-17-2018 06:05 AM

I am not sure what you mean, the TA inputs are default. I set it up through the GUI under data inputs activity_log. Please explain which inputs I should look at. Thank you

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎08-17-2018 03:57 PM

Can you share what you used for the values in the input (be sure to anonymize the values)? This is what ends up in inputs.conf and will help troubleshoot.

0 Karma
Reply

Log_wrangler
Builder
‎09-05-2018 07:32 AM

Thank you for the replies.
Others have looked into this as well, and they have found a bug and abandoned the TA.
I wanted to use the azure monitor with event hub to preclude manually entering accounts and inputs for all my azure data.

Trying to automate the manual process with the API now.

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-17-2018 08:34 AM

btw, this TA/App only works on Splunk Enterprise instances deployed inside Azure from the Azure Marketplace and it must be version 7+

if you get it working you can then forward to wherever your main Splunk deployment is...

@marycordova
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎08-17-2018 04:01 PM

The add-on is not required to run inside of Azure. You can run it on Splunk 6.5+ anywhere an outbound connection can be made to Azure (on-prem, public cloud, private cloud).

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-16-2018 03:28 PM

I don't like the Azure Monitor from MicroSoft or the Microsoft Cloud Services App from Splunk...

Here is a method I developed for audit logs from Azure and O365 using the Log Analytics repositories.

This might work for you depending on what you are trying to get at: https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

Also, one of my co-workers whipped up a powershell script the other day to get at some data via the API that I couldn't get in Log Analytics and he just reused my http/HEC listener to post to.

I like the reliability and simplicity of this setup much better than some of the other options available.

@marycordova
0 Karma
Reply

Log_wrangler
Builder
‎08-17-2018 06:06 AM

Thank you, we will look into this option. Yes the azure apps have been a pain.

0 Karma
Reply

Log_wrangler
Builder
‎08-17-2018 06:22 AM

So do you think your solution will work with an event hub in azure? Thank you

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎08-17-2018 08:32 AM

probably...if theres some way to build a little logic app to query or receive from the event hub, but if the logs are something already available in Log Analytics and/or a "Solution"+Log Analytics you can do away with the event hub entirely

@marycordova
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...