Able to connect to Azure hub using shared key and event hub name in inputs. I am not seeing any logs from the eventhub in splunk. Every 30 seconds (input interval) I get the logs below when using the search: index=internal sourcetype=ta:ms:aad:log debug _Splunk . Seems like there is no data in the event hub. The key I am using has the listen permission. When looking at the hub in Azure, it seems as if logs are being sent to the hub.
2020-02-19 09:41:57,341 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 4, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,417 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 4, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_4, last offset: -1
2020-02-19 09:41:52,412 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 2, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:52,407 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 1, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, st offset: -1
2020-02-19 09:41:52,402 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 0, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:52,396 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk saving check point. Hub name: hubname, partition_id: 3, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,206 DEBUG pid=52756 tid=ThreadPoolExecutor-0_3 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 3, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_3, last offset: -1
2020-02-19 09:41:47,197 DEBUG pid=52756 tid=ThreadPoolExecutor-0_2 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 2, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_2, last offset: -1
2020-02-19 09:41:47,087 DEBUG pid=52756 tid=ThreadPoolExecutor-0_1 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 1, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_1, last offset: -1
2020-02-19 09:41:46,935 DEBUG pid=52756 tid=ThreadPoolExecutor-0_0 file=base_modinput.py:log_debug:286 | Splunk getting Event Hub events. Hub name: hubname, partition_id: 0, event data type: None, checkpoint key: event_hub_sequence_number_Azure_Splunk_Audit_login_hubname_0, last offset: -1
2020-02-19 09:41:46,913 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk partition IDs for hub hubname: [u'0', u'1', u'2', u'3', u'4']
2020-02-19 09:41:45,801 DEBUG pid=52756 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk Getting proxy server.
Did you get a resolution to this?
I'm seeing the same behaviour and no idea what the cause is.
I have 2 HF's, one pulls data successfully from the eventhub the other HF always returns the -1 offset.
This is 1 HF to 1 eventhub per region so i'm not making multiple requests into the same eventhub from mulitple HF's.