Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for Microsoft Cloud Service

The latest version of the Splunk Add-on for Microsoft Cloud Service is version 3.1.0. See Release notes for the Splunk Add-on for Microsoft Cloud Service for the release notes of this latest version.

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM version 4.12
Supported OS for data collection Platform independent
Vendor Products Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft 0ffice 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

After you install version 3.0.0, you must clear the cache on the host of your Splunk platform instance or force refresh the input and configuration page the first time you use Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

New Features

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new feature:

  • Support for XML and JSON field extractions via the mscs:storage:blob:xml and mscs:storage:blob:json sourcetypes.

Fixed issues

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Date resolved Issue number Description
2018-12-03 ADDON-16917, ADDON-20020 Add-on doesn't respect proxy settings for Azure inputs and cannot ingest Azure data
2018-01-19 ADDON-15540 Not Receiving MSCS data

Known issues

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Date filed Issue number Description
2019-03-13 ADDON-21516 Unable to authenticate against the Proxy using a service account
2018-11-13 ADDON-20248 Getting ERROR "No handlers could be found for logger" in splunkd.log file after installation of MSCS Add-On
2018-08-21 ADDON-19162 Forwarder restart leads to WAD ingestion breaking
2017-02-06 ADDON-13476 Error happens during upgrade

Workaround:
Disable the add-on before upgrading, and re-enable it after the upgrade is complete.

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

  • Support for Office365 Government Cloud
  • Support for Azure Government Cloud
  • Support for the Audit General class of Office365 events

Fixed issues

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues.

Date resolved Issue number Description
2018-01-22 ADDON-16769 Microsoft Cloud Services - Table is not unique per account/region
2018-01-19 ADDON-15540 Not Receiving MSCS data
2017-09-05 ADDON-15008, ADDON-11154 Wrong account number shows in Azure App account page
2017-08-31 ADDON-13410, ADDON-14132 Unable to get information from default metric azure tables that are using the name convention $Metrics
2017-05-03 ADDON-12428 Add Audit.General endpoint subscription needed
2017-03-06 ADDON-11505 Table is not unique per account/region

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Date filed Issue number Description
2018-11-13 ADDON-20248 Getting ERROR "No handlers could be found for logger" in splunkd.log file after installation of MSCS Add-On
2018-08-21 ADDON-19162 Forwarder restart leads to WAD ingestion breaking
2018-01-31 ADDON-16917, ADDON-20020 Add-on doesn't respect proxy settings for Azure inputs and cannot ingest Azure data
2018-01-09 ADDON-16542 UI Error on Inputs Tab for Audit.General data
2017-08-15 ADDON-15540 Not Receiving MSCS data
2017-05-24 ADDON-14876 Proxy type Sock4/Sock5 is not supported in Resouce/Audit channel

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.3

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4 and later
CIM 4.4 and later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

  • Enhanced stability and performance in data collection through the O365 Management APIs
  • Updates to pagination handling for the O365 Management Activity APIs
  • Added proxy support for Audit and Resource data inputs
  • Optimized performance for the Diagnostics and websitesapplogs tables

Fixed issues

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Date resolved Issue number Description
2017-06-09 ADDON-14908 Error message in internal log for O365 Sharepoint
2017-06-06 ADDON-14248 Splunk_TA_microsoft-cloudservices contains long path names which exceed Windows 260 path length limit

Known issues

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Date filed Issue number Description
2018-01-22 ADDON-16769 Microsoft Cloud Services - Table is not unique per account/region
2017-08-15 ADDON-15540 Not Receiving MSCS data
2017-07-20 ADDON-15343 Event with same Id may be fetched several times for O365 Azure AD Audit due to O365 management API behaviour
2017-07-17 ADDON-15300 Fails to encrypt account when multiple account and input are configured at the same time through backend

Workaround:
Perform one of the following: 
1. Add accounts through the Web UI
2. After adding multiple accounts by editing the configuraton files, open the add-on configuration page in a browser before adding new inputs.
2017-06-23 ADDON-15129 Possible data duplication after disable/enable O365 data input during data collection
2017-06-07 ADDON-15008, ADDON-11154 Wrong account number shows in Azure App account page
2017-05-24 ADDON-14876 Proxy type Sock4/Sock5 is not supported in Resouce/Audit channel
2017-05-11 ADDON-14748 The start_time cannot be deleted for Audit input
2017-02-06 ADDON-13476 Error happens during upgrade

Workaround:
Disable the add-on before upgrading, and re-enable it after the upgrade is complete.
2016-11-21 ADDON-12262 Local files generated immediately after install the TA
2016-10-06 ADDON-11505 Table is not unique per account/region
2016-09-22 ADDON-11419, ADDON-11413, ADDON-11510, ADDON-12585, ADDON-11606 same inputs name with different case have problems with check-points on windows
2016-09-22 ADDON-11423 Data cannot be collected if blob name contains special characters
2016-09-18 ADDON-11316, ADDON-8280 Add-on throws "Failed to load endpoint", "Refresh token failed", "Failed to init ServerInfo", "Failed to send rest request" errors during restart after initial installation
2016-09-04 ADDON-11164 Proxy type and DNS Resolution configuration does not work for storage
2016-08-22 ADDON-10984 Fails to get VM meta data in classic category

Third-party software attributions

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.2

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4 and 6.5
CIM 4.4 or later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

Fixed issues

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Publication Date Issue number Description
2017/02/20 ADDON-12556 Cannot use proxy without Authentication in Storage channel.
2017/02/20 ADDON-12665 The length of the checkpoint file name exceeds the limitation of the operating system.
2017/02/20 ADDON-12666 Cannot parse SAS token which is not start with '?'.

Known issues

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Date Issue number Description
2017/06/02 ADDON-14969 Truncated Key/value pairs in Splunk Add-on for Microsoft Cloud Services.
2017/02/07 ADDON-13487 The proxy value you configured in this add-on cannot be used for the Azure resource and Azure audit input channel.

Workaround: Configure the proxy on the local system for Azure resource and Azure audit input channel.

2017/02/06 ADDON-13476 Error occurs during upgrading Splunk add-on for Microsoft cloud service on Windows platform.

Workaround: If you want to upgrade this add-on on Windows platform, disable the add-on first, then enable it after upgrading.

For the known issues in the previous release, see release history of the Splunk add-on for Microsoft cloud service.

Third-party software attributions

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.2.

Fixed issues

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date Issue number Description
2016/10/14 ADDON-10454 Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work.

Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work.

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016-10-13 ADDON-11638 This add-on does not check the input name stanza at the frontend.
2016-10-12 ADDON-11609 This add-on fails to configure the certificate in the latest Firefox browser.
2016-09-24 ADDON-11423 This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20 ADDON-11419 If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform.

This issue also exists in other modular inputs.

2016-09-20 ADDON-11409 The changes in the inputs.conf won't take effect until restarting Splunk platform.
2016-09-20 ADDON-11400 If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19 ADDON-11349 The error message error_message=The range specified is invalid for the current size of the resource exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19 ADDON-11316 There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15 ADDON-11298 There will be some data loss if the Splunk platform restart or shutdown accidently.

Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.

2016-09-09 ADDON-11178 You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05 ADDON-11164 The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23 ADDON-10984 This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.


Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.1.

New features

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date Issue number Description
2016/09/20 ADDON-10883 Mapping to Cloud of ITSI data model.
2016/09/20 ADDON-10728 Add modular input for Azure Storage Blob data.
2016/09/20 ADDON-10727 Add modular input for Azure Storage Table data.
2016/09/20 ADDON-10129 Add modular input for Azure Audit data.
2016/09/20 ADDON-10696 Add modular input for Azure Resource data.
2016/09/20 ADDON-10222 Add modular input for Azure Virtual Machine Metrics data.

Fixed issues

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date Issue number Description
2016-09-05 ADDON-11033 If there is space in the name of inputs or account, this add-on will fail to ingest data.
2016-07-19 ADDON-9329 This add-on does not work if you install the add-on under /etc/apps/SPLUNK_HOME/ect/apps folder
2016-08-30 ADDON-8735 If the global proxy is enabled in splunk-launch.conf, the add-on cannot display the Account or Proxy tab under Configuration.

Known issues

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016-09-27 ADDON-10454 Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work.

Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work.
Workaround: You can reduce the number of inputs by using wildcard or regex expression in the Blob list.

2016-09-24 ADDON-11423 This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20 ADDON-11419 If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform.

This issue also exists in other modular inputs.

2016-09-20 ADDON-11409 The changes in the inputs.conf won't take effect until restarting Splunk platform.
2016-09-20 ADDON-11400 If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19 ADDON-11349 The error message error_message=The range specified is invalid for the current size of the resource exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19 ADDON-11316 There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15 ADDON-11298 There will be some data loss if the Splunk platform restart or shutdown accidently.

Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.

2016-09-09 ADDON-11178 You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05 ADDON-11164 The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23 ADDON-10984 This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 1, 2016. Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3.X or later
CIM 4.4 or later
Platforms Platform independent
Vendor Products Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, and other cloud services.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date Issue number Description
2016/03/10 ADDON-3941 Create a new add-on for Microsoft cloud services.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date Issue number Description
2016/03/30 ADDON-8505 Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30 ADDON-8504 Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29 ADDON-8432 Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29 ADDON-8424 Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/15 ADDON-8280 Add-on throws "Failed to send rest request" errors during restart after initial installation unless the user waits for about one minute after installing the add-on and before restarting the Splunk platform. Workaround: Restart the Splunk platform a second time.
2016/03/08 ADDON-8221 If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be upload it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31 ADDON-7653 Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26 ADDON-7597 Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

PREVIOUS
Release notes for the Splunk Add-on for Microsoft Cloud Services
  NEXT
Hardware and software requirements for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters