Hi,
I am very new to this, so be gentle. I have setup an enterprise version of Splunk on an Azure VM image. I have installed this addon, but am not getting any data into Splunk. Below is an extract from the ta_ms_aad_MS_AAD_audit.log file
2018-12-10 23:59:46,316 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:46,958 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:48,070 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-12-10 23:59:49,191 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,619 ERROR pid=10753 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 125, in collect_events
audit_events = get_audit_events(helper, access_token, url, max_records)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 90, in get_audit_events
header = {'Accept':'application/json', 'Authorization':'Bearer ' + access_token}
TypeError: cannot concatenate 'str' and 'exceptions.KeyError' objects
Any ideas? Any help appreciated.
I did complete those fields
-application id as client id
-generated key as the client secret
Try setting the log level to debug via the Logging tab and then run the following search:
index=_internal source=*aad* error
No errors found in the last 24 hours.
There were some logs dating back to when I was first setting it up
Try disabling and re-enabling the input, or create a new input and run the above search again with the log level set to debug.
Can anyone provide insight, or provide some insights on how to debug this? I feel I followed the instructions verbatim.
I can get data into Power BI, but for the life of me, I cannot get data into Splunk.