Skip to content

Configure Azure resource modular inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Prerequisites

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure Resource.
  3. Fill out the Name, Azure App Account, Subscription ID, Resource Type, Resource Group List, Interval and Index fields using the Input parameters.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. Create a file called mscs_azure_resource_inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Add the following stanza:
    [<input_stanza_name>]
    account = <value>
    subscription_id = <value>
    resource_type = <value>
    resource_group_list = <value>
    index = <value>
    interval = <value>
    
  3. Save and restart Splunk platform.

Input parameters

Attributes Corresponding Fields in Splunk Web Description
input_stanza_name Name A friendly name for your input. Name cannot contain any whitespace.
account Azure App Account The Azure App Account from which you want to gather data. Name cannot contain any whitespace.
subscription_id Subscription ID The instance queries that manage events belonging to this subscription. The subscription ID is the one you configured in Microsoft account
resource_type Resource Type You can choose from Virtual Machine, Public IP Address, Network Interface Card, Virtual Network, Disk Data, Image Data, Snapshot Data, Resource Groups, Security Groups and Subscriptions using Splunk Web, or set resource_type to virtual_machine, public_ip_address, network_interface_card, virtual_network, disk_data, image_data, snapshot_data, resource_groups, security_groups, subscriptionsin the configuration file.
resource_group_list Resource Group List The resource group list is defined by subscription ID and resource type. If you leave this field blank, this add-on will query all resource lists under the subscription ID and the resource type you choose. You can add multiple resource group list separated by commas.
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
index Index The index where the Microsoft Cloud Services data is stored.