Re: New Install - Not receiving any data from Azur...

davidworthingto · ‎12-10-2018

Hi,

I am very new to this, so be gentle. I have setup an enterprise version of Splunk on an Azure VM image. I have installed this addon, but am not getting any data into Splunk. Below is an extract from the ta_ms_aad_MS_AAD_audit.log file

2018-12-10 23:59:46,316 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:46,958 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:48,070 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2018-12-10 23:59:49,189 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=setup_util.py:log_info:114 | Customized key can not be found
2018-12-10 23:59:49,190 INFO pid=10753 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-12-10 23:59:49,191 INFO pid=10753 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-12-10 23:59:49,619 ERROR pid=10753 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 125, in collect_events
audit_events = get_audit_events(helper, access_token, url, max_records)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 90, in get_audit_events
header = {'Accept':'application/json', 'Authorization':'Bearer ' + access_token}
TypeError: cannot concatenate 'str' and 'exceptions.KeyError' objects

Any ideas? Any help appreciated.

jconger · ‎12-18-2018

Did you provide the client ID and secret by going to Configuration -> Add-on Settings?

davidworthingto · ‎12-18-2018

I did complete those fields
-application id as client id
-generated key as the client secret

jconger · ‎12-19-2018

Try setting the log level to debug via the Logging tab and then run the following search:

index=_internal source=*aad* error

davidworthingto · ‎12-19-2018

No errors found in the last 24 hours.
There were some logs dating back to when I was first setting it up

jconger · ‎12-19-2018

Try disabling and re-enabling the input, or create a new input and run the above search again with the log level set to debug.

davidworthingto · ‎12-12-2018

Can anyone provide insight, or provide some insights on how to debug this? I feel I followed the instructions verbatim.
I can get data into Power BI, but for the life of me, I cannot get data into Splunk.

New Install - Not receiving any data from Azure.,New Install on Splunk Enterprise - Getting traceback error

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio