Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Logging output from any Azure Event Hub logs


Your organization collects Azure Event Hub data for a wide range of Azure infrastructures, including custom applications. Event Hubs can process and store events, data, or telemetry produced by distributed software and devices. After Event Hub logs are collected in your Splunk deployment, you can accelerate incident investigations involving Cloud infrastructure. 

Data required 

Microsoft: Azure Event Hub data


  1. Configure the Splunk Add-on for Microsoft Cloud Services.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=mscs:azure:eventhub <optional keywords>

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=mscs:azure:eventhub Search only Azure Event Hub data. 
<optional keywords> Add keywords here, for example (error OR fail*)

Next steps

You can replace <optional keywords> with any additional keywords relevant to the investigation. You could also update the source filter to return logs from a specific log group, such as the log group associated with a specific Event Hub.

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.