Configure Azure Metrics inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice.

Prerequisites

Complete the following steps in the configuration process:

1. Configure an Active Directory Application in Azure Active Directory for the Splunk Add-on for Microsoft Cloud Services, if you have not already done so.
2. Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services, if you have not already done so.
3. Create an Azure App Account in the Splunk Add-on for Microsoft Cloud Services.
4. Azure Metrics input provides support for the metric index. See Create metric indexes to create a metrics index.

The Azure Metrics input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Metrics input in the Microsoft Azure Add-on for Splunk.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
2. Select Create New Input and then select Azure Metrics.
3. Enter the Name, Azure App Account, Subscription IDs, Namespaces, Metric Statistics, Preferred Time Aggregation, Interval, Use Metric Index?, Index, Sourcetype, and Number of Threads using the information in the following Input parameters table.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
2. Create a file named inputs.conf , if it does not already exist.
3. Add the following stanza for Azure Metrics input:
   1. Input configuration for event index

      [mscs_azure_metrics://<input_stanza_name>]
      account = <value>
      index = <value>
      interval = <value>
      metric_index_flag = no
      metric_statistics = <value>
      namespaces = <value>
      number_of_threads = <value>
      preferred_time_aggregation = <value>
      sourcetype = mscs:metrics:events
      subscription_id = <value>
      

   2. Input configuration for metrics index

      [mscs_azure_metrics://<input_stanza_name>]
      account = <value>
      index = <value>
      interval = <value>
      metric_index_flag = yes
      metric_statistics = <value>
      namespaces = <value>
      number_of_threads = <value>
      preferred_time_aggregation = <value>
      sourcetype = mscs:metrics
      subscription_id = <value>
      

4. Save and restart the Splunk platform.

Input parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
input_stanza_name	Name	A friendly name for your input. . Input name cannot contain any whitespace.
account	Azure Account	The Azure App account from which you want to collect data. Account name cannot contain any whitespace.
subscription_id	Subscription IDs	The Azure Subscription containing the resources to query metrics. Comma-separated list of subscriptions.
namespaces	Namespaces	Comma-separated list of metric namespaces to query. Refer to section ‘Supported metrics with Azure Monitor’ in microsoft document for list of available metrics namespaces. Example: Microsoft.Compute/virtualMachines
metric_statistics	Metric Statistics	The type of statistic to gather. Valid options are average, minimum, maximum, total, and count
preferred_time_aggregation	Preferred Time Aggregation	The preferred aggregation type. If the preferred time period is not available for a specific metric in the namespace, the next available time grain will be used. Valid options are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, and P1D.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again. The default is 300 seconds.
metric_index_flag	Use Metric Index?	Use Metrix Index is for using metric index or event index. The default is yes (using metric index).
index	Index	The index that stores Azure Metrics data. It can be metrics, indexes, or events indexes based on the metric_index_flag value.
sourcetype	Sourcetype	The sourcetype to use for this input. If metric index the sourcetype value is mscs:metrics. If event index the sourcetype value is mscs:metrics:events.
number_of_threads	Number of Threads	The number of threads used to collect metric data in parallel. The default value is 5.