Configure Azure resource modular inputs for the Splunk Add-on for Microsoft Cloud Services¶
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Prerequisites¶
- Configure an application in Microsoft Entra ID for the Splunk Add-on for Microsoft Cloud Services
- Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
- Select Create New Input and then select Azure Resource.
- Fill out the Name, Azure App Account, Subscription ID, Resource Type, Resource Group List, Interval and Index fields using the Input parameters.
Configure inputs using configuration files¶
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create a file called mscs_azure_resource_inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
- Add the following stanza:
[<input_stanza_name>] account = <value> subscription_id = <value> resource_type = <value> resource_group_list = <value> index = <value> interval = <value> - Save and restart Splunk platform.
Input parameters¶
| Attributes | Corresponding Fields in Splunk Web | Description |
|---|---|---|
input_stanza_name |
Name | A friendly name for your input. Name cannot contain any whitespace. |
account |
Azure App Account | The Azure App Account from which you want to gather data. Name cannot contain any whitespace. |
subscription_id |
Subscription ID | The instance queries that manage events belonging to this subscription. The subscription ID is the one you configured in Microsoft account |
resource_type |
Resource Type | You can choose from Virtual Machine, Public IP Address, Network Interface Card, Virtual Network, Disk Data, Image Data, Snapshot Data, Resource Groups, Security Groups and Subscriptions using Splunk Web, or set resource_type to virtual_machine, public_ip_address, network_interface_card, virtual_network, disk_data, image_data, snapshot_data, resource_groups, security_groups, subscriptionsin the configuration file. |
resource_group_list |
Resource Group List | The resource group list is defined by subscription ID and resource type. If you leave this field blank, this add-on will query all resource lists under the subscription ID and the resource type you choose. You can add multiple resource group list separated by commas. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. |
index |
Index | The index where the Microsoft Cloud Services data is stored. |