Issues with Metrics and Diagnostics

[jactisdale]

I was hoping to get some help with a few things. It seems the data inputs are not showing in the Web UI. I did a fresh install with no seen issues with the dependencies and found that no data inputs populated within the web interface. A previous install only showed the diagnostic and activity inputs but no metrics. With this pervious install the inputs are now failing for the diagnostic events with the following in the debug events.

03-25-2019 13:32:37.055 +0000 DEBUG ExecProcessor - message from "/opt/app/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" Modular input azure_diagnostic_logs://test ==> Did not find hub: docs01. Message: amqp:not-found:The messaging entity 'sb://burgessgroupeventhub.servicebus.windows.net/docs01/consumergroups/$default/partitions/1' could not be found. TrackingId:aa2825be1dc04ec9b839ee4bca4861dc_G7, SystemTracker:gateway5, Timestamp:2019-03-25T13:32:36

Could it be suggested the newly annotated HEC might be a better solution?
One final question, and I apologize for many questions within one submitted case. What makes this TA different then the microsoft cloud services TA or other Splunk created TA's? I have not been able to identify the difference. Thanks for your patience and consideration.

[sebastus]

check out this section in the wiki: https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson

all hubs must have 4 partitions.

the function is much easier to configure

if the data input isn't showing in the list, it didn't start. close to 100% of the time, it's because of dependencies.

the TA and the function ingest Azure Monitor data into Splunk. there's another function that allows ingestion of Azure Network Watcher NSG Flow Logs. https://github.com/Microsoft/AzureNetworkWatcherNSGFlowLogsConnector

the Splunk TA (MSCS) ingests O365 and legacy Azure feeds like storage accounts. It does not include any Azure Monitor data at all.

On Tue, Mar 26, 2019 at 1:35 PM jactisdale notifications@github.com wrote:

I was hoping to get some help with a few things. It seems the data inputs are not showing in the Web UI. I did a fresh install with no seen issues with the dependencies and found that no data inputs populated within the web interface. A previous install only showed the diagnostic and activity inputs but no metrics. With this pervious install the inputs are now failing for the diagnostic events with the following in the debug events.

03-25-2019 13:32:37.055 +0000 DEBUG ExecProcessor - message from "/opt/app/splunk/etc/apps/TA-Azure_Monitor/bin/azure_diagnostic_logs.sh" Modular input azure_diagnostic_logs://test ==> Did not find hub: docs01. Message: amqp:not-found:The messaging entity 'sb:// burgessgroupeventhub.servicebus.windows.net/docs01/consumergroups/$default/partitions/1' could not be found. TrackingId:aa2825be1dc04ec9b839ee4bca4861dc_G7, SystemTracker:gateway5, Timestamp:2019-03-25T13:32:36

Could it be suggested the newly annotated HEC might be a better solution? One final question, and I apologize for many questions within one submitted case. What makes this TA different then the microsoft cloud services TA or other Splunk created TA's? I have not been able to identify the difference. Thanks for your patience and consideration.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Microsoft/AzureMonitorAddonForSplunk/issues/136, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOrrERW8oY0x4FCcZFJNt_DPsEtuu9Eks5vaiI6gaJpZM4cLdeu .