Finally we migrated away for Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services.
In Microsoft Azure Add-on for Splunk Inputs conf. it was possible to specify manually Event Hub Sourcetype, but in Splunk Add-on for Microsoft Cloud Services we need to choose the value. The problem is that we need the values azure:ad_signin:eventhub and azure:ad_audit:eventhub but Splunk Add-on for Microsoft Cloud Services provides only mscs:azure:eventhub.
Based on log information from Azure there is Category field with the values (SignInLogs,AuditLogs). And from it I can specify which is Audit log and which is Signin log and change SourceType for each of log type.
On Heavy Forwarder where App is deployed (/opt/splunk/etc/apps/Splunk_TA_microsoft-cloudservices/default) i added the following config. But nothing changed source type stays mscs:azure:eventhub. Any ideas what I'm missing?
props.conf
[mscs:azure:eventhub]
TRANSFORMS-rename = SignInLogs,AuditLogs
transforms.conf
[SignInLogs]
REGEX = SignInLogs
SOURCE_KEY = field:category
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::azure:ad_signin:eventhub
WRITE_META = true
[AuditLogs]
REGEX = AuditLogs
SOURCE_KEY = field:category
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::azure:ad_audit:eventhub
WRITE_META = true
Tried also this config. Still no result.
props.conf
[mscs:azure:eventhub]
TRANSFORMS-sourcetype_azure_ad_audit_eventhub = azure_ad_audit_eventhub
TRANSFORMS-sourcetype_azure_ad_signin_eventhub = azure_ad_signin_eventhub
transforms.conf
[azure_ad_signin_eventhub]
REGEX = "category":"SignInLogs"
FORMAT = sourcetype::azure:ad_signin:eventhub
DEST_KEY = MetaData:Sourcetype
[azure_ad_audit_eventhub]
REGEX = "category":"AuditLogs"
FORMAT = sourcetype::azure:ad_audit:eventhub
DEST_KEY = MetaData:Sourcetype