search

splunk / splunk-add-on-microsoft-azure

Splunk Add-on for Microsoft Azure
Apache License 2.0
11 stars 7 forks source link

Delay 30 Days Azure Logs #44

Closed Sioushob closed 3 months ago

Sioushob commented 1 year ago

Hi team:

We need your help because I am presented with a 30-day delay in ingesting logs from an AAD to splunk, the connection is through an IDM:

Verison of the Addon is 3.1.1:

The Active Directory Sign-ins entry:

Range: 620 Query BackOff: 1 Endpoint = V1.0

Please I need your help,

JasonConger commented 1 year ago

2 recommendations:

  1. Upgrade to version 4.x of the add-on. A change was made to implement Python Session() and Retry() classes to help with throttling and paging.
  2. The Microsoft sign-in REST API has some pretty severe throttling limits. I usually direct customers to send Azure AD sign-in events to an event hub, and then use the Splunk Add-on for Microsoft Cloud Services to retrieve the data from the hub.

Reference: https://github.com/splunk/splunk-add-on-microsoft-azure/wiki/Configure-Azure-Active-Directory-inputs-for-the-Splunk-Add-on-for-Microsoft-Azure#throttling-guidance