All Apps and Add-ons

New Install - Not receiving any data from Azure.,New Install on Splunk Enterprise - Getting traceback error

davidworthingto
New Member

Hi,

I am very new to this, so be gentle. I have setup an enterprise version of Splunk on an Azure VM image. I have installed this addon, but am not getting any data into Splunk. Below is an extract from the ta_ms_aad_MS_AAD_audit.log file

2018-12-10 23:59:46,316 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:46,958 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:48,070 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-12-10 23:59:49,191 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,619 ERROR pid=10753 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 125, in collect_events
audit_events = get_audit_events(helper, access_token, url, max_records)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 90, in get_audit_events
header = {'Accept':'application/json', 'Authorization':'Bearer ' + access_token}
TypeError: cannot concatenate 'str' and 'exceptions.KeyError' objects

Any ideas? Any help appreciated.

0 Karma

jconger
Splunk Employee
Splunk Employee

Did you provide the client ID and secret by going to Configuration -> Add-on Settings?

alt text

0 Karma

davidworthingto
New Member

I did complete those fields
-application id as client id
-generated key as the client secret

0 Karma

jconger
Splunk Employee
Splunk Employee

Try setting the log level to debug via the Logging tab and then run the following search:

index=_internal source=*aad* error
0 Karma

davidworthingto
New Member

No errors found in the last 24 hours.
There were some logs dating back to when I was first setting it up

0 Karma

jconger
Splunk Employee
Splunk Employee

Try disabling and re-enabling the input, or create a new input and run the above search again with the log level set to debug.

0 Karma

davidworthingto
New Member

Can anyone provide insight, or provide some insights on how to debug this? I feel I followed the instructions verbatim.
I can get data into Power BI, but for the life of me, I cannot get data into Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...