Related Answers
Download topic as PDF
Troubleshoot the Splunk Add-on for Microsoft Cloud Services
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Accessing Logs of Azure Inputs
There are four different logs for different types of inputs. The following table describes them:
| Log Filename | Sourcetype | Description | Troubleshooting SPL |
|---|---|---|---|
splunk_ta_microsoft-cloudservices_storage_table.log
|
mscs:storage:table:log
|
Azure Storage Table and VIrtual Machine Metrics channel log | index=_internal sourcetype="mscs:storage: table:log" ERROR |
splunk_ta_microsoft-cloudservices_storage_blob.log
|
mscs:storage:blob:log
|
Azure Storage Blob channel log | index=_internal sourcetype="mscs:storage: blob:log" ERROR |
splunk_ta_microsoft-cloudservices_azure_resource.log
|
mscs:azure:resource:log
|
Azure Resource channel log | index=_internal sourcetype="mscs:storage: resource:log" ERROR |
splunk_ta_microsoft-cloudservices_azure_audit.log
|
mscs:azure:audit:log
|
Azure Audit Log Channel related log | index=_internal sourcetype="mscs:azure: audit:log" ERROR |
Checkpoint Directories
The following data sources are stored in the following directories:
| Data source | Directory |
|---|---|
| Azure Storage Table | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_table
|
| Azure Storage Blob | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_blob
|
| Azure Resource | n/a |
| Azure Audit Log | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_azure_audit
|
Getting data in
Azure Resource and Azure Audit:
- If you can't get data, check that you are using the correct Client ID, Client Secret, and Tenant ID. Grant the Application Read Access.
- Use the query in the preceding table to check for errors.
- If you have no errors and cannot collect data, remove the checkpoint file and try again.
Azure Storage Table, Azure Storage Blob and Azure Virtual Machine Metrics:
- If you can't get data, check that you are using the correct Account Name and Account Secret.
- Use the query in the preceding table to check for errors.
- If you have no errors and cannot collect data, remove the checkpoint file and try again.
Truncated events
The default number of maximum lines for any event in the Splunk software is 256. If the number of lines in an event exceeds this limit, then the Splunk software truncates the event. If you know the maximum number of lines in a file exceeds the default, change the max_events setting in props.conf under the file's sourcetype stanza.
To increase the character limit beyond 10K bytes in a single line, use the truncate setting to define the size of the line.
See Props.conf in the Admin manual.
Scripted inputs causing a spike in CPU percentage
If your Microsoft Cloud Services deployment experiences a CPU spike after installing and configuring the Splunk Add-on for Microsoft Cloud Services is enabled, the issue could be that your deployment has too many inputs enabled, and too short an interval in the code. To fix this issue:
- Navigate to your Task Manager, and verify a high amount of python.exe tasks.
- Increase intervals in proportion to the number of inputs you have configured in your deployment.
- Save your changes.
|
PREVIOUS Configure Azure Virtual Machine Metrics Modular Input for Splunk Add-on for Microsoft Cloud Services |
NEXT Lookups for the Splunk Add-on for Microsoft Cloud Services |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!