Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk Add-on for Microsoft Cloud Services

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Accessing Logs of Azure Inputs

There are four different logs for different types of inputs. The following table describes them:

Log Filename Sourcetype Description Troubleshooting SPL
splunk_ta_microsoft-cloudservices_storage_table.log mscs:storage:table:log Azure Storage Table and VIrtual Machine Metrics channel log index=_internal sourcetype="mscs:storage:
table:log" ERROR
splunk_ta_microsoft-cloudservices_storage_blob.log mscs:storage:blob:log Azure Storage Blob channel log index=_internal sourcetype="mscs:storage:
blob:log" ERROR
splunk_ta_microsoft-cloudservices_azure_resource.log mscs:azure:resource:log Azure Resource channel log index=_internal sourcetype="mscs:storage:
resource:log" ERROR
splunk_ta_microsoft-cloudservices_azure_audit.log mscs:azure:audit:log Azure Audit Log Channel related log index=_internal sourcetype="mscs:azure:
audit:log" ERROR

Checkpoint Directories

The following data sources are stored in the following directories:

Data source Directory
Azure Storage Table $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_table
Azure Storage Blob $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_blob
Azure Resource n/a
Azure Audit Log $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_azure_audit

Getting data in

Azure Resource and Azure Audit:

  1. If you can't get data, check that you are using the correct Client ID, Client Secret, and Tenant ID. Grant the Application Read Access.
  2. Use the query in the preceding table to check for errors.
  3. If you have no errors and cannot collect data, remove the checkpoint file and try again.

Azure Storage Table, Azure Storage Blob and Azure Virtual Machine Metrics:

  1. If you can't get data, check that you are using the correct Account Name and Account Secret.
  2. Use the query in the preceding table to check for errors.
  3. If you have no errors and cannot collect data, remove the checkpoint file and try again.

Truncated events

The default number of maximum lines for any event in the Splunk software is 256. If the number of lines in an event exceeds this limit, then the Splunk software truncates the event. If you know the maximum number of lines in a file exceeds the default, change the max_events setting in props.conf under the file's sourcetype stanza.

To increase the character limit beyond 10K bytes in a single line, use the truncate setting to define the size of the line. See Props.conf in the Admin manual.

Scripted inputs causing a spike in CPU percentage

If your Microsoft Cloud Services deployment experiences a CPU spike after installing and configuring the Splunk Add-on for Microsoft Cloud Services is enabled, the issue could be that your deployment has too many inputs enabled, and too short an interval in the code. To fix this issue:

  1. Navigate to your Task Manager, and verify a high amount of python.exe tasks.
  2. Increase intervals in proportion to the number of inputs you have configured in your deployment.
  3. Save your changes.
PREVIOUS
Configure Azure Virtual Machine Metrics Modular Input for Splunk Add-on for Microsoft Cloud Services
  NEXT
Lookups for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters