Hello,
I am pulling data from two separate Azure instances and I need a way to differentiate the logs between the indexes. I don't want to put the data in separate indexes, and the source is the Microsoft API for both environments. Is there a way to manually set the host field for each input? I checked the splunk_ta_ms_o365_client_management_api_inputs.conf (and other confs) and I didn't see an option to set the host value.
Thank you.
Hey@David16,
You can refer this doc:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Setadefaulthostforaninput
Let me know if this helps!!
Hello, have you tried differentiating by using the OrganiszationId Field? This should be different for each tenant that you're pulling data from.
I thought of that, but I don't see the organization ID in every event.
Just to clarify, the events that don't have organization ID, are they from the o365 management API as well or is that including storage table and storage blob?
if you run the below search how many API sources does it return?
index=(your index) sourcetype=(microsoft api) | rex field=source "/(?.*)/activity" | stats count by apisource