All Apps and Add-ons

Able to connect to Eventhub but data is not downloaded, offset stays at -1

dcanchon
New Member

Able to connect to Azure hub using shared key and event hub name in inputs. I am not seeing any logs from the eventhub in splunk. Every 30 seconds (input interval) I get the logs below when using the search: index=internal sourcetype=ta:ms:aad:log debug _Splunk . Seems like there is no data in the event hub. The key I am using has the listen permission. When looking at the hub in Azure, it seems as if logs are being sent to the hub.

2020-02-19 09:41:57,341 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 4, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,417 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 4, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,412 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 2, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:52,407 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 1, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, st offset: -1
2020-02-19 09:41:52,402 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 0, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:52,396 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 3, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,206 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 3, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,197 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 2, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:47,087 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 1, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, last offset: -1
2020-02-19 09:41:46,935 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 0, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:46,913 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk partition IDs for hub hubname: [u'0', u'1', u'2', u'3', u'4']
2020-02-19 09:41:45,801 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk Getting proxy server.

0 Karma

robwheeler
Engager

Did you get a resolution to this?

I'm seeing the same behaviour and no idea what the cause is. 

I have 2 HF's, one pulls data successfully from the eventhub the other HF always returns the -1 offset. 

This is 1 HF to 1 eventhub per region so i'm not making multiple requests into the same eventhub from mulitple HF's. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...