Troubleshooting Microsoft Entra ID data in Data Manager

See the following sections for information on troubleshooting Microsoft Entra ID data ingestion in Data Manager.

For troubleshooting issues that affect both Microsoft Entra ID and Microsoft Entra ID, see the Troubleshoot Azure data ingestion in Data Manager topic in this manual.

Failed Events

The Azure Function performs a backup of events whenever it fails to send the data. These events get backed up as blobs in the Azure Storage account with the prefix splkaadstr. Open the storage account on Azure Portal and navigate to Containers. Eventhub messages that could not be parsed get backed up in a blob with failed-to-parse in the name. Eventhub messaged that could not be sent to splunk due to some network error get backed up in a blob with failed-to-send in the name.

Search for events and logs

Use the following searches to find events and logs. From the Splunk Cloud menu bar, click Apps > Search & Reporting.

If data ingestion is failing, but you see no errors in Data Manager, you can check for errors in the Azure logs by running the following in Splunk Web Search.

index=<user selected index> sourcetype="azure:monitor:aad"

Search for Azure events associated with a specific input ID.

index=<user selected index> datamanager_input_id=<input_id>

Last modified on 05 September, 2024
Data Manager: 1.11.0

