Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Microsoft Cloud Services

The latest version of the Splunk Add-on for Microsoft Cloud Services is version 5.2.2. See Release notes for the Splunk Add-on for Microsoft Cloud Services for the release notes of this latest version.

Version 5.2.1

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services was released on October 6, 2023.

Versions 5.1.0 and 5.2.0 are dependent on version 5.0 for upgrade. Upgrade to version 5.0 first before upgrading these versions. Please note that this dependency has been eliminated in versions 5.1.2 and 5.2.1. See the release notes topic for more details.

Check the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, 9.0.x, 9.1.x
CIM version 5.1.0
Supported OS for data collection Platform independent
Vendor products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Removed the dependency of version 5.0.0 during upgrade for Storage Blob input.

Fixed issues

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:


Known issues

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.2.0

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services was released on September 17, 2023.

After upgrading to version 5.0.0 or later of this add-on, you might observe a rise in the usage of memory and CPU resources within your deployment.

Check the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.2.x, 9.0.x, 9.1.x
CIM version 5.1.0
Supported OS for data collection Platform independent
Vendor products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Updated Azure Resource, Azure Consumption APIs and the Azure Storage Blob SDK to their latest versions.
  • Fixed security related issues.
  • Updated the read_timeout parameter's default value for the Azure Storage Blob input to 60 seconds.
  • Automatic deletion of obsolete Storage Blob file checkpoints after successful migration to KV store.

Fixed issues

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:


Known issues

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services



Version 5.1.2

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services was released on October 3, 2023.

See the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM version 5.1.0
Supported OS for data collection Platform independent
Vendor products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Removed Dependency for Storage Blob Input in v5.0.0 Step Upgrade

Fixed issues

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:


Known issues

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.1.1

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services was released on May 2, 2023.

See the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM version 5.1.0
Supported OS for data collection Platform independent
Vendor products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Improved CPU utilization for eventhub inputs.
  • Improved logging mechanism for eventhub inputs.
  • Added a warning message to the Azure App account update, proxy, and logging pages, informing users that they will be required to re-enable EventHub inputs upon account, proxy, and log level changes.

Fixed issues

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:


Known issues

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions

Third-party software attributions

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.1.0

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on May 2, 2023.

Please also check the release notes for Splunk Add-on for Microsoft Cloud Services v5.0.0 before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM version 5.1.0
Supported OS for data collection Platform independent
Vendor products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • The following inputs were migrated from Splunk Add on for Microsoft Azure to Splunk Add-on for Microsoft Cloud Services. If these inputs are configured in Splunk Add-on for Microsoft Cloud Services, then they will be treated as new inputs. It is recommended to disable those inputs in the Splunk Add-on for Microsoft Azure:
    • Introduced the Azure Metrics input
    • Introduced the Azure KQL Log Analytics input
    • Introduced the Azure Consumption(Billing) input
    • Introduced new Resource Types (Disk Data, Image Data, Snapshot Data, Resource Groups, Security Groups and Subscriptions) in the Azure Resource input
  • Security related issue have been fixed
  • Introduced the Read Timeout parameter to the Storage Blob input, which can be used to resolve the data ingestion stuck issue. See the Storage Blob input configuration manual for more information.
  • Added UI support to the Blob Mode parameter.




Provided CIM 5.1.0 support for the following:

Sourcetype Category
mscs:resource:securityGroup Azure Resource
mscs:resource:disk Azure Resource
mscs:resource:image Azure Resource
mscs:resource:snapshot Azure Resource
mscs:resource:subscriptions Azure Resource
mscs:resource:resourceGroup Azure Resource

Fixed issues

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:


Known issues

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services


Version 5.0.0

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on March 21, 2023.

Compatibility

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM version 5.0.2
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  1. The following enhancements were made on the Eventhub Input. See Input Parameters for more details:
    1. Resolved the memory leak issue for the input.
    2. Introduced load balancing support across multiple instances. See Horizontal Scaling Across Multiple Splunk Environment section in the Eventhub input manual. See Horizontal Scaling for more information.
    3. Introduced debug loggers to the input execution. See Input Parameters for more details.
  2. Enhancements were made on the Storage Blob Input. The Storage Blob checkpoint will be migrated from the File checkpoint mechanism to the KV Store mechanism.

    If inputs are interrupted during the checkpoint migration in the first interval after upgrading the add-on to Version 5.0.0, it may lead to data duplication.

    1. The checkpoint mechanism was migrated to the Splunk KV Store.
    2. Introduced Horizontal Scaling that would allow parallel data ingestion via multiple inputs on a common KV Store architecture. See Horizontal Scaling for more information.
    3. Introduced a new field called Prefix to optimize the execution time of the input.
    4. Introduced an Advanced Tab in the Configuration Tab to control the File Based Checkpoint deletion for Storage Blob. See Configure Advanced settings in Splunk Add-on for Microsoft Cloud Services for more information.

Provided CIM 5.0.2 support for the following:

Sourcetype Category
azure:monitor:aad AzureActiveDirectory
azure:monitor:activity Administrative

See the following table for the CIM fields removed for 5.0.0:

Source-type operationName Fields removed Reason for removed fields
azure:monitor:aad Add a deletion-marked app role assignment grant to user as part of link removal object The event is not mapped to any Datamodel
azure:monitor:aad Add blocked user object_id There is no ID for the target user present in the raw event.
azure:monitor:aad Clear block on user object_id There is no ID for the target user present in the raw event.
azure:monitor:aad POST Tenant.RemoveBlockedUser, POST Tenant.CreateBlockedUser, Update StsRefreshTokenValidFrom Timestamp, Process role update request, User started security info registration object The event is not mapped to any datamodel.
azure:monitor:aad Sign-in activity, Validate user authentication, Risky user, User Risk Detection object The object field is not part of the datamodels mapped to the events.
['azure:monitor:aad'] Start applying group based license to users object The event is not mapped to any datamodel.

See the following table for a list of CIM fields modified for 5.0.0:

Source-type CIM Field operationName Comment
['azure:monitor:aad'] object Access review ended, Add app role assignment grant to user, Add blocked user, Add conditional access policy, Add label, Add owner to group, Add owner to service principal, Add role definition, Add role from template, Add user, Clear block on user, Consent to application, Create access package catalog, Create business flow, Create connected organization, Delete access package catalog, Delete application, Delete business flow, Delete conditional access policy, Delete group, Delete policy, Delete role definition, Delete user, Disable account, Enable account, Finish applying group based license to users, Get resource properties of a tenant, Get tenant details, Hard Delete application, Hard Delete group, Hard Delete user, Hard delete service principal, Initialize tenant, POST Tenant.CreateTenant, Remove app role assignment from user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role, Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Remove owner from application, Remove owner from group, Remove service principal, Restore application, Set Company Information, Set directory feature on tenant, Set group license, Set user manager, Update access package catalog, Update application, Update authorization policy, Update business flow, Update conditional access policy, User registered all required security info, User registered security info The object field is changed, the extraction is now more accurate, i.e. having more specific values, e.g. the object was the generic Azure AD, and now it has more specific and meaningful value.
['azure:monitor:aad'] object_attrs Add app role assignment grant to user, Add label, Add owner to group, Add owner to service principal, Add role from template, Add user, Create connected organization, Delete user, Disable account, Enable account, Hard Delete user, Hard delete service principal, POST Tenant.CreateTenant, Remove app role assignment from user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role, Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Remove owner from application, Remove owner from group, Remove service principal, Update access package catalog, Update business flow, Verify domain The object_attrs field got now more meaningful (and sometime more concise) value than before.
['azure:monitor:aad'] user Add blocked user, Clear block on user, Disable account, Enable account, Hard Delete user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Set user manager, User registered all required security info, User registered security info The user field value is now corrected and extracted properly reflecting the CIM definitions of this field in the Change Datamodel (All_changes and Account_management Datasets).

Fixed issues

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Date resolved Issue number Description
2023-03-20 ADDON-46473 Resource memory leak issue for Splunk Add-on for Microsoft Cloud Services storage blob input
2023-03-20 ADDON-58868, ADDON-58800 Make Eventhub Input Sourcetype Editable
2022-11-18 ADDON-53651 UI pages get errored out due to leading/trailing spaces in the account name
2022-10-06 ADDON-47585, ADDON-43503 OS memory leak while using eventhub input

Known issues

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2023-10-05 ADDON-65366 Azure Resource inputs configured in version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services do not support Azure Sovereign Regions
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 4.5.2

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services was released on February 15, 2023.

Compatibility

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM version 5.0.1
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New features

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Security related issue have been fixed, No new features added.

Fixed issues

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:



Known issues

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-12-02 ADDON-58868, ADDON-58800 Make Eventhub Input Sourcetype Editable

Third-party software attributions

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services


Version 4.5.1

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services was released in November 15, 2022.

Compatibility

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM version 5.0.1
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

Fixed issues

Note: Eventhub input does not support "Transport Type" as "AMQP" in Splunk Cloud.

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

  • Fixed event parsing issue in Event Hub input.
  • Fixed event hub data collection issue with transport type AMQP.

Known issues

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-07-12 ADDON-53651 UI pages get errored out due to leading/trailing spaces in the account name

Third-party software attributions

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.5.0

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services was released on July 31, 2022.

Compatibility

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x, 9.0.0
CIM version 5.0.1
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Provided CIM support for Azure Data Share events
  • Updated Azure Audit API, Azure Storage Blob, and Storage Table client SDK to the latest version

Note: A high-level overview of differences between Audit API version 2015-04-01 and the old 2014-04-01 version:

  • The key name was changed for the following fields of the audit events, but the value remains the same:
    • eventSource → category
    • resourceUri → resourceId
  • The following fields were added in response to the latest Audit API version::
    • "resourceType":{"value": "<value>", "localizedValue": "<localizedValue>"}
    • "tenantId": "<tenant_id>"

Fixed issues

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Date resolved Issue number Description
2022-07-27 ADDON-54080 Data collection is not working on NOAH(Victoria) Search Head Cluster
2022-07-01 ADDON-41943 Sorting of Input type column in inputs page isn't working
2022-06-27 ADDON-51220 MSCS Add-on (v4.1.5) not parsing JSON-formatted log file correctly
2022-06-17 ADDON-52317 Error reading Azure Storage Table input: TypeError: Object of type bytes is not JSON serializable


Known issues

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-11-09 ADDON-57951, ADDON-57941, ADDON-58113 Event hub input having parsing issues with custom json events
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Third-party software attributions

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services


Version 4.3.3

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • The Microsoft Azure Event Hubs input in the previous version of the Splunk Add-on for Microsoft Cloud Services had an additional level of nesting for ingested events that had a records key. The additional nesting has been removed to provide a simpler and faster query experience. Previous versions of the Splunk Add-on for Microsoft Cloud Services:
    {
    "body": 
       {
          "records": {
             "field1": value1
           }
       }
    }
    

    Current version of the Splunk Add-on for Microsoft Cloud Services:

    {
    "body":
       "field1": value1
    }
    
  • Bug fixes.
  • Fixed a memory leak issue that was affecting the performance of the Event Hub input.

In this release, the existing lookups are updated for the Self Service App Install (SSAI) upgrade. Lookups do not update with the latest values automatically. To fix this issue, upgrade the Splunk Add-on for Microsoft Cloud Services, then manually update the lookup files using the latest version of this add-on.

Fixed issues

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Date filed Issue number Description
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Known issues

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-07-12 ADDON-53651 UI pages get errored out due to leading/trailing spaces in the account name
2022-05-30 ADDON-52317 Error reading Azure Storage Table input: TypeError: Object of type bytes is not JSON serializable
2022-03-22 ADDON-49498 MSCService fails to connect when proxy password contains backslashes
2022-01-04 ADDON-46473 Resource memory leak issue for Splunk Add-on for Microsoft Cloud Services storage blob input
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

Version 4.2.0

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services was released on September 13, 2021.

Compatibility

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM version 4.20
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • UI component upgrades for compatibility with future versions of the Splunk software (jQuery upgrade).
  • Bug fixes.
  • Common Information Model (CIM) Release Notes:
    • Compatibility with CIM version 4.20.
    • The following CIM mapping enhancements:
      • Added support for Alert and Change data models in the mscs:azure:audit sourcetype.
      • Added support for Inventory_Network data model in the mscs:azure:networkInterfaceCard sourcetype.
      • Fixed existing field mapping issue for image_name and severity fields in mscs:resource:virtualMachine and mscs:azure:security:recommendation sourcetypes respectively.
      • The following mscs:azure:audit sourcetype enhancements:
        • Added an extra field event_description to retain the existing description values from the event and updated the description field values as per the Alert CIM data model recommendations.
        • Added new lookup mscs_audit_change_cim_fields_with_status_code.csv for populating CIM fields.
      • Updated the values in the lookup mscs_security_alert_object_category.csv for the mscs:azure:security:alert sourcetype.

In this release, the existing lookups are updated for the Self Service App Install (SSAI) upgrade. Lookups do not update with the latest values automatically. To fix this issue, upgrade the Splunk Add-on for Microsoft Cloud Services, then manually update the lookup files using the latest version of this add-on.

Fixed issues

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Known issues

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-09-09 ADDON-41943 Sorting of Input type column in inputs page isn't working
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.5

Fixed issues

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Date resolved Issue number Description
2021-09-07 ADDON-37913, ADDON-34388 Duplicate Events when reading Azure Blob Storage 4.1.0 and up (including latest 4.1.1)
2021-08-26 ADDON-37408 issue with Blob Storage inputs

Known issues

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2022-05-02 ADDON-51220 MSCS Add-on (v4.1.5) not parsing JSON-formatted log file correctly
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.4

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services was released on July 28, 2021.

Compatibility

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.18
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services


New Features

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Bug fixes

Fixed issues

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Date resolved Issue number Description
2021-07-26 ADDON-37898 Splunk Add-on for Microsoft Cloud Services, latest upgrade, unable to find the "record" key
2021-07-22 ADDON-37866 Splunk_TA_microsoft-cloudservices-4.1.2 is missing logs
2021-07-12 ADDON-37300 Handle InvalidRange Error in blob storage input
2021-06-30 ADDON-37359 MSCS documentation incorrect/unclear for the required Azure permissions
2021-06-30 ADDON-36176 Splunk Add-on for Microsoft Cloud Services upgrade from 4.1.1 to 4.1.2 and now hitting _http_error_handler raise ex azure.common.AzureHttpError: The condition specified using HTTP conditional header(s) is not met.

Known issues

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-08-19 ADDON-40841 MacOS not supported for MSCS add-on



Workaround:
None. Splunk add-on for Microsoft CloudServices is not supported on all MacOS versions.

2021-07-20 ADDON-39557 Storage Account Configuration Page and Input Page is not loading on MacOS and getting Splunk error
2021-05-25 ADDON-37408 issue with Blob Storage inputs
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 4.1.3

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services was released on May 14, 2021.

Compatibility

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.15
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services


New Features

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • When event hub data is ingested by the Splunk software, different events are generated in the Splunk platform for each record.
  • Each record from event hub data is now split into separate Splunk events.
  • Fixed an event hub input bug where event hub data isn't ingested due to the following client secret error:

AADSTS7000215: Invalid client secret is provided.

  • The upper limit for max_batch_size is increased to be 10000.

Fixed issues

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:


Date resolved Issue number Description
2021-05-04 ADDON-33920 EventHub events processing with Microsoft Cloud Services 4.1.0 issues
2021-04-29 ADDON-36235 Splunk Add-on for Microsoft Cloud Services Eventhub input failing on v 4.1.2 with Invalid Client Exception

Known issues

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-06-07 ADDON-37898 Splunk Add-on for Microsoft Cloud Services, latest upgrade, unable to find the "record" key
2021-06-03 ADDON-37866 Splunk_TA_microsoft-cloudservices-4.1.2 is missing logs
2021-05-25 ADDON-37408 issue with Blob Storage inputs
2021-05-24 ADDON-37359 MSCS documentation incorrect/unclear for the required Azure permissions
2021-05-20 ADDON-37300 Handle InvalidRange Error in blob storage input
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 4.1.2

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services was released on April 20, 2021.

Compatibility

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.15
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services


New Features

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Changes to the Blob Storage input to address a data duplication issue with Append Blobs.

Fixed issues

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Date filed Issue number Description
2020-09-21 ADDON-34660 Splunk Add-on for Microsoft Cloud Services Storage Input users need to be able to ingest delta changes to an Append blob


Known issues

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services introduced a blob storage duplication solution that conflicts with the event hub input, leading to the following error:

AADSTS7000215: Invalid client secret is provided.

If you do not need the blob storage duplication fix, the best practice is to continue using version 4.1.1 of this add-on instead of upgrading to version 4.1.2.


Date filed Issue number Description
2021-06-08 ADDON-37913, ADDON-34388 Duplicate Events when reading Azure Blob Storage 4.1.0 and up (including latest 4.1.1)

Workaround:
n/a
2021-04-27 ADDON-36235 Splunk Add-on for Microsoft Cloud Services Eventhub input failing on v 4.1.2 with Invalid Client Exception
2021-04-26 ADDON-36176 Splunk Add-on for Microsoft Cloud Services upgrade from 4.1.1 to 4.1.2 and now hitting _http_error_handler raise ex azure.common.AzureHttpError: The condition specified using HTTP conditional header(s) is not met.
2021-02-16 ADDON-33920 EventHub events processing with Microsoft Cloud Services 4.1.0 issues
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.1

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services was released on February 12, 2021.

Compatibility

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.15
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services


New Features

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • The 4.1.0 release of MSCS included a new SDK and libraries to support EventHubs. Due to some underlying Splunk Python behavior some customers who had other Microsoft TAs installed noted that the GUI configuration was failing for MSCS, This release solves this library clash issue.
  • Improvements to proxy configuration enforcing an integer value.
  • Fix for an exception UnicodeDecodeError that some customers where seeing for the Event Hubs Modular Input

Fixed issues

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:


Date resolved Issue number Description
2021-02-09 ADDON-32446 Configuration on Azure App Account won't load on Inputs Data Manager version 8.1.2008

Known issues

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2021-03-05 ADDON-34660 Splunk Add-on for Microsoft Cloud Services Storage Input users need to be able to ingest delta changes to an Append blob
2021-02-26 ADDON-34388, ADDON-37913 Duplicate Events when reading Azure Blob Storage 4.1.0 and up (including latest 4.1.1)

Workaround:
n/a
2021-02-16 ADDON-33920 EventHub events processing with Microsoft Cloud Services 4.1.0 issues
2021-01-07 ADDON-32682 Microsoft Cloud service app collected duplicated events
2020-12-30 ADDON-32256 Splunk Add-on for Microsoft Cloud Services Python memory leak when upgrading from 4.0.1 to 4.1.0

Third-party software attributions

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.0

Is is a best practice to use either version 4.1.1 and later or versions 4.0.2 and earlier of this add-on.

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on January 9, 2020.

Compatibility

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.15
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services cannot be installed on the same Splunk platform instance as one that has the Microsoft Azure Add-on for Splunk installed.

New Features

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Support for the Microsoft Azure Event Hubs input type.

Fixed issues

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.



Version 4.0.2

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services was released on August 31, 2020.

Compatibility

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x
CIM version 4.15
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services


New Features

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Improved support for the Splunk Enterprise Security Assets & Identities Framework interface.
  • Additional storage blob input capability and security compatibility.
  • Federal Information Processing Standard (FIPS) compliance.
  • Additional Python3 library support.

For more information on migrating your deployment to a Python 3 deployment, see Upgrade using the Python 3 runtime and dual-compatible Python syntax in custom scripts in the Splunk Enterprise Installation manual.

Fixed issues

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

The Splunk Add-on for Microsoft Cloud Services version 4.0.2 is incompatible with Splunk Enterprise versions 7.x.x and earlier.

Third-party software attributions

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 4.0.1

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services was released on August 31, 2020.

Compatibility

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM version 4.12
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade

The following migration guide is supported for upgrading from version 3.0.0 to version 4.0.0 or later. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

  1. Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
  2. Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 and up from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  3. Restart the Splunk platform.
  4. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
  5. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  6. Complete the authorization of your account by adding your account secret key/account token.
  7. Repeat above steps for all inputs which have alert sign against them.
  8. Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Default support for Python 3

For more information on migrating your deployment to a Python 3 deployment, see Choose your Splunk Enterprise upgrade path for the Python 3 migration in the Splunk Enterprise Installation manual.

Fixed issues

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2020-09-17 ADDON-29404 Excessive blob errors in logs saying 'The range specified is invalid for the current size of the resource'
2019-09-09 ADDON-23159 Event breaks when encountered "time" attribute in json format blob file
2019-08-22 ADDON-22968 Azure BLOB Input intermittently stopping
2019-02-27 ADDON-21430 Enable/Disable functionality not working when Input name contains special characters.

Third-party software attributions

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on October 21, 2019.

Compatibility

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM version 4.12
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade

The following migration guide is supported for upgrading from version 3.0.0 to version 4.0.0. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

  1. Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
  2. Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  3. Restart the Splunk platform.
  4. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
  5. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  6. Complete the authorization of your account by adding your account secret key/account token.
  7. Repeat above steps for all inputs which have alert sign against them.
  8. Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Support for Python 3

For more information on migrating your deployment to a Python 3 deployment, see Choose your Splunk Enterprise upgrade path for the Python 3 migration in the Splunk Enterprise Installation manual.

Fixed issues

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:


Date resolved Issue number Description
2019-10-06 ADDON-21694 Duplicate events from mscs storage table data

Known issues

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2019-09-09 ADDON-23159 Event breaks when encountered "time" attribute in json format blob file
2019-08-22 ADDON-22968 Azure BLOB Input intermittently stopping
2019-02-27 ADDON-21430 Enable/Disable functionality not working when Input name contains special characters.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 3.1.0

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 8, 2019.

Compatibility

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6,x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM version 4.12
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade

The following migration guide is supported for upgrading from version 3.0.0 to version 3.1.0. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

  1. Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
  2. Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  3. Restart the Splunk platform.
  4. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
  5. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  6. Complete the authorization of your account by adding your account secret key/account token.
  7. Repeat above steps for all inputs which have alert sign against them.
  8. Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft 0ffice 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

  • Credential validation of Account Name and Account secret key on Account configuration page.

Fixed issues

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:


Date resolved Issue number Description
2019-02-08 ADDON-20248 Getting ERROR "No handlers could be found for logger" in splunkd.log file after installation of MSCS Add-On

Known issues

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2019-09-09 ADDON-23159 Event breaks when encountered "time" attribute in json format blob file
2019-08-22 ADDON-22968 Azure BLOB Input intermittently stopping
2019-02-27 ADDON-21430 Enable/Disable functionality not working when Input name contains special characters.

Third-party software attributions

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.



Version 3.0.0

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM version 4.12
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft Office 365.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

After you install version 3.0.0, you must clear the cache on the host of your Splunk platform instance or force refresh the input and configuration page the first time you use Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

New Features

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new feature:

  • Support for XML and JSON field extractions via the mscs:storage:blob:xml and mscs:storage:blob:json sourcetypes.

Fixed issues

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:


Date resolved Issue number Description
2018-12-03 ADDON-16917, ADDON-20020 Add-on doesn't respect proxy settings for Azure inputs and cannot ingest Azure data
2018-01-19 ADDON-15540 Not Receiving MSCS data

Known issues

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:


Date filed Issue number Description
2019-04-05 ADDON-21694 Duplicate events from mscs storage table data
2019-03-13 ADDON-21516 Unable to authenticate against the Proxy using a service account
2018-11-13 ADDON-20248 Getting ERROR "No handlers could be found for logger" in splunkd.log file after installation of MSCS Add-On
2018-08-21 ADDON-19162 Forwarder restart leads to WAD ingestion breaking
2017-02-06 ADDON-13476 Error happens during upgrade

Workaround:
Disable the add-on before upgrading, and re-enable it after the upgrade is complete.

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

  • Support for Office365 Government Cloud
  • Support for Azure Government Cloud
  • Support for the Audit General class of Office365 events

Fixed issues

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues.


Date resolved Issue number Description
2017-09-05 ADDON-15008, ADDON-11154 Wrong account number shows in Azure App account page
2017-08-31 ADDON-13410, ADDON-14132 Unable to get information from default metric azure tables that are using the name convention $Metrics
2017-03-06 ADDON-11505 Table is not unique per account/region

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.


Date filed Issue number Description
2019-04-05 ADDON-21694 Duplicate events from mscs storage table data
2018-11-13 ADDON-20248 Getting ERROR "No handlers could be found for logger" in splunkd.log file after installation of MSCS Add-On
2018-08-21 ADDON-19162 Forwarder restart leads to WAD ingestion breaking
2018-01-31 ADDON-16917, ADDON-20020 Add-on doesn't respect proxy settings for Azure inputs and cannot ingest Azure data
2018-01-09 ADDON-16542 UI Error on Inputs Tab for Audit.General data
2017-08-15 ADDON-15540 Not Receiving MSCS data
2017-05-24 ADDON-14876 Proxy type Sock4/Sock5 is not supported in Resouce/Audit channel

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.3

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4 and later
CIM 4.4 and later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

  • Enhanced stability and performance in data collection through the O365 Management APIs
  • Updates to pagination handling for the O365 Management Activity APIs
  • Added proxy support for Audit and Resource data inputs
  • Optimized performance for the Diagnostics and websitesapplogs tables

Fixed issues

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.


Date resolved Issue number Description
2017-06-09 ADDON-14908 Error message in internal log for O365 Sharepoint
2017-06-06 ADDON-14248 Splunk_TA_microsoft-cloudservices contains long path names which exceed Windows 260 path length limit

Known issues

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.


Date filed Issue number Description
2017-08-15 ADDON-15540 Not Receiving MSCS data
2017-07-20 ADDON-15343 Event with same Id may be fetched several times for O365 Azure AD Audit due to O365 management API behaviour
2017-06-23 ADDON-15129 Possible data duplication after disable/enable O365 data input during data collection
2017-06-07 ADDON-15008, ADDON-11154 Wrong account number shows in Azure App account page
2017-05-24 ADDON-14876 Proxy type Sock4/Sock5 is not supported in Resouce/Audit channel
2017-05-11 ADDON-14748 The start_time cannot be deleted for Audit input
2017-02-06 ADDON-13476 Error happens during upgrade

Workaround:
Disable the add-on before upgrading, and re-enable it after the upgrade is complete.
2016-11-21 ADDON-12262 Local files generated immediately after install the TA
2016-10-06 ADDON-11505 Table is not unique per account/region
2016-09-22 ADDON-11423 Data cannot be collected if blob name contains special characters
2016-09-18 ADDON-11316, ADDON-8280 Add-on throws "Failed to load endpoint", "Refresh token failed", "Failed to init ServerInfo", "Failed to send rest request" errors during restart after initial installation
2016-09-04 ADDON-11164 Proxy type and DNS Resolution configuration does not work for storage
2016-08-22 ADDON-10984 Fails to get VM meta data in classic category

Third-party software attributions

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.2

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4 and 6.5
CIM 4.4 or later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

Fixed issues

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Publication Date Issue number Description
2017/02/20 ADDON-12556 Cannot use proxy without Authentication in Storage channel.
2017/02/20 ADDON-12665 The length of the checkpoint file name exceeds the limitation of the operating system.
2017/02/20 ADDON-12666 Cannot parse SAS token which is not start with '?'.

Known issues

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Date Issue number Description
2017/06/02 ADDON-14969 Truncated Key/value pairs in Splunk Add-on for Microsoft Cloud Services.
2017/02/07 ADDON-13487 The proxy value you configured in this add-on cannot be used for the Azure resource and Azure audit input channel.

Workaround: Configure the proxy on the local system for Azure resource and Azure audit input channel.

2017/02/06 ADDON-13476 Error occurs during upgrading Splunk add-on for Microsoft cloud service on Windows platform.

Workaround: If you want to upgrade this add-on on Windows platform, disable the add-on first, then enable it after upgrading.

For the known issues in the previous release, see release history of the Splunk add-on for Microsoft cloud service.

Third-party software attributions

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.2.

Fixed issues

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date Issue number Description
2016/10/14 ADDON-10454 Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work.

Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work.

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016-10-13 ADDON-11638 This add-on does not check the input name stanza at the frontend.
2016-10-12 ADDON-11609 This add-on fails to configure the certificate in the latest Firefox browser.
2016-09-24 ADDON-11423 This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20 ADDON-11419 If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform.

This issue also exists in other modular inputs.

2016-09-20 ADDON-11409 The changes in the inputs.conf won't take effect until restarting Splunk platform.
2016-09-20 ADDON-11400 If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19 ADDON-11349 The error message error_message=The range specified is invalid for the current size of the resource exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19 ADDON-11316 There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15 ADDON-11298 There will be some data loss if the Splunk platform restart or shutdown accidently.

Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.

2016-09-09 ADDON-11178 You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05 ADDON-11164 The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23 ADDON-10984 This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.1.

New features

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date Issue number Description
2016/09/20 ADDON-10883 Mapping to Cloud of ITSI data model.
2016/09/20 ADDON-10728 Add modular input for Azure Storage Blob data.
2016/09/20 ADDON-10727 Add modular input for Azure Storage Table data.
2016/09/20 ADDON-10129 Add modular input for Azure Audit data.
2016/09/20 ADDON-10696 Add modular input for Azure Resource data.
2016/09/20 ADDON-10222 Add modular input for Azure Virtual Machine Metrics data.

Fixed issues

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date Issue number Description
2016-09-05 ADDON-11033 If there is space in the name of inputs or account, this add-on will fail to ingest data.
2016-07-19 ADDON-9329 This add-on does not work if you install the add-on under /etc/apps/SPLUNK_HOME/ect/apps folder
2016-08-30 ADDON-8735 If the global proxy is enabled in splunk-launch.conf, the add-on cannot display the Account or Proxy tab under Configuration.

Known issues

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016-09-27 ADDON-10454 Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work.

Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work.
Workaround: You can reduce the number of inputs by using wildcard or regex expression in the Blob list.

2016-09-24 ADDON-11423 This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20 ADDON-11419 If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform.

This issue also exists in other modular inputs.

2016-09-20 ADDON-11409 The changes in the inputs.conf won't take effect until restarting Splunk platform.
2016-09-20 ADDON-11400 If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19 ADDON-11349 The error message error_message=The range specified is invalid for the current size of the resource exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19 ADDON-11316 There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15 ADDON-11298 There will be some data loss if the Splunk platform restart or shutdown accidently.

Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.

2016-09-09 ADDON-11178 You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05 ADDON-11164 The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23 ADDON-10984 This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 1, 2016. Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3.X or later
CIM 4.4 or later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, and other cloud services.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date Issue number Description
2016/03/10 ADDON-3941 Create a new add-on for Microsoft cloud services.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/15 ADDON-8280 Add-on throws "Failed to send rest request" errors during restart after initial installation unless the user waits for about one minute after installing the add-on and before restarting the Splunk platform. Workaround: Restart the Splunk platform a second time.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be upload it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Last modified on 05 February, 2024
PREVIOUS
Release notes for the Splunk Add-on for Microsoft Cloud Services
  NEXT
Hardware and software requirements for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters