
Troubleshoot the Splunk Add-on for Microsoft Cloud Services
For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Accessing Logs of Azure Inputs
There are four different logs for different types of inputs. The following table describes them:
Log Filename | Sourcetype | Description | Troubleshooting SPL |
---|---|---|---|
splunk_ta_microsoft-cloudservices_storage_table.log
|
mscs:storage:table:log
|
Azure Storage Table and VIrtual Machine Metrics channel log | index=_internal sourcetype="mscs:storage: table:log" ERROR |
splunk_ta_microsoft-cloudservices_storage_blob.log
|
mscs:storage:blob:log
|
Azure Storage Blob channel log | index=_internal sourcetype="mscs:storage: blob:log" ERROR |
splunk_ta_microsoft-cloudservices_azure_resource.log
|
mscs:azure:resource:log
|
Azure Resource channel log | index=_internal sourcetype="mscs:azure: resource:log" ERROR |
splunk_ta_microsoft-cloudservices_azure_audit.log
|
mscs:azure:audit:log
|
Azure Audit Log Channel related log | index=_internal sourcetype="mscs:azure: audit:log" ERROR |
Checkpoint Directories
The following data sources are stored in the following directories:
Data source | Directory |
---|---|
Azure Storage Table | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_table
|
Azure Storage Blob | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_storage_blob
|
Azure Resource | n/a |
Azure Audit Log | $SPLUNK_HOME/var/lib/splunk/modinputs/mscs_azure_audit
|
Getting data in
Azure Resource and Azure Audit:
- If you can't get data, check that you are using the correct Client ID, Client Secret, and Tenant ID. Grant the Application Read Access.
- Use the query in the preceding table to check for errors.
- If you have no errors and cannot collect data, remove the checkpoint file and try again.
Azure Storage Table, Azure Storage Blob and Azure Virtual Machine Metrics:
- If you can't get data, check that you are using the correct Account Name and Account Secret.
- Use the query in the preceding table to check for errors.
- If you have no errors and cannot collect data, remove the checkpoint file and try again.
Configure the Splunk Add-on for Microsoft Cloud Services for Azure endpoints for international regions
Configure the Splunk Add-on for Microsoft Cloud Services for Azure endpoints from different international regions.
- On your Azure deployment, configure your desired region.
- On the machine that contains the Splunk Add-on for Microsoft Cloud Services, navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
. - Using a text editor, edit the following files, depending on each data collection API endpoint, to update the regional API endpoints to match the region that you configured in your Azure deployment:
Endpoint Affected configuration files Comments Office 365 login endpoint URL splunk_ta_ms_o365_server_ucc_system_setting.conf
Office 365 management endpoint API URL splunk_ta_ms_o365_server_ucc_system_setting.conf
andsplunk_ta_ms_o365_api_settings.conf
Azure account setting schema (for ingesting Azure audit events) mscs_azure_accounts.conf
Set the variable account_class_type
stanza to3
Azure storage account setting schema mscs_storage_accounts.conf
Set the variable account_class_type
stanza to3
- Save your changes.
- Restart your Splunk instance to apply the changes.
Truncated events
The default number of maximum lines for any event in the Splunk software is 256. If the number of lines in an event exceeds this limit, then the Splunk software truncates the event. If you know the maximum number of lines in a file exceeds the default, change the max_events
setting in props.conf
under the file's sourcetype stanza.
To increase the character limit beyond 10K bytes in a single line, use the truncate
setting to define the size of the line.
See Props.conf in the Admin manual.
Scripted inputs causing a spike in CPU percentage
If your Microsoft Cloud Services deployment experiences a CPU spike after installing and configuring the Splunk Add-on for Microsoft Cloud Services is enabled, the issue could be that your deployment has too many inputs enabled, and too short an interval in the code. To fix this issue:
- Navigate to your Task Manager, and verify a high amount of python.exe tasks.
- Increase intervals in proportion to the number of inputs you have configured in your deployment.
- Save your changes.
PREVIOUS Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services |
NEXT Lookups for the Splunk Add-on for Microsoft Cloud Services |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!