Troubleshooting Azure Active Directory data in Data Manager
See the following sections for information on troubleshooting Azure Active Directory data ingestion in Data Manager.
For troubleshooting issues that affect both Azure Active Directory and Azure Activity Logs, see the Troubleshoot Azure data ingestion in Data Manager topic in this manual.
Failed Events
The Azure Function performs a backup of events whenever it fails to send the data. These events get backed up as blobs in the Azure Storage account with the prefix splkaadstr
. Open the storage account on Azure Portal and navigate to Containers. Eventhub messages that could not be parsed get backed up in a blob with failed-to-parse
in the name. Eventhub messaged that could not be sent to splunk due to some network error get backed up in a blob with failed-to-send
in the name.
Search for events and logs
Use the following searches to find events and logs. From the Splunk Cloud menu bar, click Apps > Search & Reporting.
If data ingestion is failing, but you see no errors in Data Manager, you can check for errors in the Azure logs by running the following in Splunk Web Search.
index=<user selected index> sourcetype="azure:monitor:aad"
Search for Azure events associated with a specific input ID.
index=<user selected index> datamanager_input_id=<input_id>
Troubleshoot Azure data ingestion in Data Manager | Troubleshooting Azure Activity Logs data in Data Manager |
This documentation applies to the following versions of Data Manager: 1.7.0
Feedback submitted, thanks!