Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Microsoft Cloud Services

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Accessing Logs of Azure Inputs

There are four different logs for different types of inputs. The following table describes them:

Log Filename Sourcetype Description Troubleshooting SPL
splunk_ta_microsoft-cloudservices_storage_table.log mscs:storage:table:log Azure Storage Table and VIrtual Machine Metrics channel log index=_internal sourcetype="mscs:storage:
table:log" ERROR
splunk_ta_microsoft-cloudservices_storage_blob.log mscs:storage:blob:log Azure Storage Blob channel log index=_internal sourcetype="mscs:storage:
blob:log" ERROR
splunk_ta_microsoft-cloudservices_azure_resource.log mscs:azure:resource:log Azure Resource channel log index=_internal sourcetype="mscs:azure:
resource:log" ERROR
splunk_ta_microsoft-cloudservices_azure_audit.log mscs:azure:audit:log Azure Audit Log Channel related log index=_internal sourcetype="mscs:azure:
audit:log" ERROR

Checkpoint Directories

The following data sources are stored in the following directories:

Data source Directory
Azure Storage Table $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_table
Azure Storage Blob $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_blob
Azure Resource n/a
Azure Audit Log $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_azure_audit

Getting data in

Azure Resource and Azure Audit:

  1. If you can't get data, check that you are using the correct Client ID, Client Secret, and Tenant ID. Grant the Application Read Access.
  2. Use the query in the preceding table to check for errors.
  3. If you have no errors and cannot collect data, remove the checkpoint file and try again.

Azure Storage Table, Azure Storage Blob and Azure Virtual Machine Metrics:

  1. If you can't get data, check that you are using the correct Account Name and Account Secret.
  2. Use the query in the preceding table to check for errors.
  3. If you have no errors and cannot collect data, remove the checkpoint file and try again.

Configure the Splunk Add-on for Microsoft Cloud Services for Azure endpoints for international regions

Configure the Splunk Add-on for Microsoft Cloud Services for Azure endpoints from different international regions.

  1. On your Azure deployment, configure your desired region.
  2. On the machine that contains the Splunk Add-on for Microsoft Cloud Services, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  3. Using a text editor, edit the following files, depending on each data collection API endpoint, to update the regional API endpoints to match the region that you configured in your Azure deployment:
    Endpoint Affected configuration files Comments
    Office 365 login endpoint URL splunk_ta_ms_o365_server_ucc_system_setting.conf
    Office 365 management endpoint API URL splunk_ta_ms_o365_server_ucc_system_setting.conf and splunk_ta_ms_o365_api_settings.conf
    Azure account setting schema (for ingesting Azure audit events) mscs_azure_accounts.conf Set the variable account_class_type stanza to 3
    Azure storage account setting schema mscs_storage_accounts.conf Set the variable account_class_type stanza to 3
  4. Save your changes.
  5. Restart your Splunk instance to apply the changes.

Truncated events

The default number of maximum lines for any event in the Splunk software is 256. If the number of lines in an event exceeds this limit, then the Splunk software truncates the event. If you know the maximum number of lines in a file exceeds the default, change the max_events setting in props.conf under the file's sourcetype stanza.

To increase the character limit beyond 10K bytes in a single line, use the truncate setting to define the size of the line. See Props.conf in the Admin manual.

Scripted inputs causing a spike in CPU percentage

If your Microsoft Cloud Services deployment experiences a CPU spike after installing and configuring the Splunk Add-on for Microsoft Cloud Services is enabled, the issue could be that your deployment has too many inputs enabled, and too short an interval in the code. To fix this issue:

  1. Navigate to your Task Manager, and verify a high amount of python.exe tasks.
  2. Increase intervals in proportion to the number of inputs you have configured in your deployment.
  3. Save your changes.
Last modified on 01 December, 2021
PREVIOUS
Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services 		  NEXT
Lookups for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters