Data Manager

Troubleshooting Manual

This documentation does not apply to the most recent version of Data Manager. For documentation on the most recent version, go to the latest release.

Troubleshooting Azure Active Directory data in Data Manager

See the following sections for information on troubleshooting Azure Active Directory data ingestion in Data Manager.

For troubleshooting issues that affect both Azure Active Directory and Azure Activity Logs, see the Troubleshoot Azure data ingestion in Data Manager topic in this manual.

Failed Events

The Azure Function performs a backup of events whenever it fails to send the data. These events get backed up as blobs in the Azure Storage account with the prefix splkaadstr. Open the storage account on Azure Portal and navigate to Containers. Eventhub messages that could not be parsed get backed up in a blob with failed-to-parse in the name. Eventhub messaged that could not be sent to splunk due to some network error get backed up in a blob with failed-to-send in the name.

Search for events and logs

Use the following searches to find events and logs. From the Splunk Cloud menu bar, click Apps > Search & Reporting.

If data ingestion is failing, but you see no errors in Data Manager, you can check for errors in the Azure logs by running the following in Splunk Web Search.

index=<user selected index> sourcetype="azure:monitor:aad"

Search for Azure events associated with a specific input ID.

index=<user selected index> datamanager_input_id=<input_id>

Last modified on 07 September, 2022
Troubleshoot Azure data ingestion in Data Manager   Troubleshooting Azure Activity Logs data in Data Manager

This documentation applies to the following versions of Data Manager: 1.7.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters