All Apps and Add-ons

Microsoft Azure Add on for Splunk no longer pulling event hub data

junshi
Explorer

Logs have been working fine until this week, now I get the error:

 

 

ERROR pid=15289 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-signinlogs, resource: 3. Detail: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

ErrorCodes.InternalServerError: The service was unable to process the request; please retry the operation. For more information on exception types and proper exception handling, please refer to http://go.microsoft.com/fwlink/?LinkId=761101 TrackingId:abe05384f2aa4f528eaad64feccc1e53_G8, SystemTracker:gateway5, Timestamp:

 

Also seeing these errors around the same time:

ERROR pid=48797 tid=MainThread file=base_modinput.py:log_error:307 | _Splunk_ Error getting event hub data for hub: insights-logs-auditlogs, resource: 2. Detail: ('Connection aborted.', BadStatusLine("''",))

This is happening for multiple hubs?

Azure App v2.1.0

Spunk v7.3.3

@jconger !

Labels (1)
0 Karma
1 Solution

junshi
Explorer

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

View solution in original post

junshi
Explorer

Found the solution, the number of eventhub events had increased and the default settings for the Microsoft Azure Add-on App were no longer able to keep up.

I increased the setting for "Max batch Set Iterations" from 100 to 1000.

I then checked the eps for this source and saw a 50% increase. After a few days, the logs finally caught up and we are now pulling logs in a timely manner.

pabaph
Engager

Hi junsi,

We are facing the same issue in one project with that particular TA. Which is the file where you modified that parameter? Thanks in advance.

Best regards.

0 Karma

junshi
Explorer

You can get to the setting within the App.

Simply click on the INPUTS tab, then select your (EventHub) input.

Click EDIT.

The Max Batch settings are at the bottom of the window!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...