Troubleshooting for Azure Active Directory data in Data Manager
Troubleshooting tips include, but are not limited to, the following items that can assist throughout the onboarding process.
Prerequisite troubleshooting
You will get an error during onboarding if any of the following do not match what is configured during the prerequisites.
| Message | Tips |
|---|---|
| Incorrect tenant ID | Verify the tenant id displayed in the Overview > Tenant information in the Azure portal. |
| Incorrect client ID | Verify the client ID of the app matches the ID that is registered in the Azure portal. |
| Incorrect client ID | Verify the client secret of the app matches the secret that is registered in the Azure portal. |
Data ingestion troubleshooting
You will get an error during onboarding if any of the following do not match what is configured during the prerequisites.
| Message | Tips |
|---|---|
| Invalid client permissions leads to messages such as the following: 401, invalid_client, Invalid client secret is provided, the permission set () sent in the request does not include the expected permission. | Editing the input in Data Manger to provide valid credentials, and check again for incoming data again. Alternatively, review the prerequisite instructions again to add the correct permissions to the application and grant admin consent for all permissions in the Azure portal. |
| Invalid endpoint type leads to messages such as the following: 400 or Request is being redirected to XXX. | Select a different endpoint by editing the input in Data Manger, and check again for incoming data again. |
| Azure Function throws Microsoft.Azure.EventHubs.ReceiverDisconnectedException | |
| Azure Function throws Microsoft.Azure.EventHubs.Processor.LeaseLostException |
Error deploying ARM template: Required parameter WEBSITE_CONTENTSHARE is missing
When deploying the ARM template, you may receive the following error:
The deployment 'splunk-activity-logs-deploy-resources' failed with error(s). Showing 3 out of 3 error(s). Status Message: Tenant ID, application ID, principal ID, and scope are not allowed to be updated. (Code:RoleAssignmentUpdateNotPermitted) Status Message: Required parameter WEBSITE_CONTENTSHARE is missing. (Code: BadRequest)
WEBSITE_CONTENTSHARE is auto generated when the Azure Function is created. If an Azure Function already exists with the same name, it won't get created, and this error is thrown. Usually this is because there is a collision in the name of the Azure Function, possibly because one already exists that has the same Data Manager input id in the name.
Before trying to redeploy Azure resources using the ARM template, make sure to delete the old deployment and Resource Group for this Data Manager input, then run the deployment command. Or, create a new Data Manager input and use the new Data Manager input id.
Error deploying ARM template: "At least one resource deployment operation failed; The resource operation completed with terminal provisioning state 'Failed'."
When deploying the ARM template, you may receive the following error:
The deployment 'splunk-activity-logs-deploy-resources' failed with error(s). Showing 1 out of 1 error(s).
Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. (Code: DeploymentFailed)
Azure Portal Error for Microsoft.Web/sites/sourcecontrols:
{ "status": "Failed", "error": { "code": "ResourceDeploymentFailure", "message": "The resource operation completed with terminal provisioning state 'Failed'." }}
The Azure Function code needs to be fetched from Github to be deployed. Sometimes this fetch fails results in the above error.
Follow the steps in the Ensure Azure Function is deployed correctly section of this topic to ensure the Azure Function has been deployed properly.
Ensure Azure Function is deployed correctly
- Find the Azure Function
- Navigate to portal.azure.com
- Navigate to the destination subscription.
- On the navigation panel, select Resource groups.
- Select the resource group for the SCDM input. The name is
SplunkDMDataIngest-[Data manager input id] - Select the Function App. The name will be suffixed with the data manager input id.
- On the navigation panel, select Functions.
- Confirm the Azure Function is not deployed
- In the Functions section in the Function App, you may notice there are no functions and the Azure portal displays No results.
- Redeploy the Azure Function
- In the same Function App as the previous steps, navigate to Deployment Center.
- In the Deployment Center, click Sync.
- Click OK to confirm that you want to redeploy.
- A Redeploy Request Submitted popup will appear.
- Wait approximately 1-5 minutes.
- Reload the page to see the function appear on your list of Functions.
- Verify that data is now flowing.
Data management troubleshooting
If your status on the Data Management page is not Success or In Progress, and the status never changes when you click Refresh, you may have to delete the data input and start again.
For information about status messages, see Verify the data input for Azure in Data Manager.
Search for events and logs
Use the following searches to find events and logs. From the Splunk Cloud menu bar, click Apps > Search & Reporting.
If data ingestion is failing, but you see no errors in Data Manager, you can check for errors in the Azure logs by running the following in Splunk Web Search.
index=<user selected index> sourcetype="azure:aad"
Search for Azure events associated with a specific input ID.
index=<user selected index> datamanager_input_id=<input_id>
This documentation applies to the following versions of Data Manager: 1.4.0
Download manual
Feedback submitted, thanks!