Skip to content

Configure Azure Resource modular inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Prerequisites

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure Resource.
  3. Fill out the Name, Azure App Account, Subscription ID, Resource Type, Resource Group List, Interval and Index fields using the Input parameters.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. Create a file called mscs_azure_resource_inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Add the following stanza: 
    [<input_stanza_name>]
account = <value>
subscription_id = <value>
resource_type = <value>
resource_group_list = <value>
network_watcher_name = <value>
network_watcher_resource_group = <value>
target_resource_group = <value>
resource_graph_query = <value>
index = <value>
interval = <value>
  3. Save and restart Splunk platform.

Input parameters

Attributes Corresponding Fields in Splunk Web Description
input_stanza_name Name A friendly name for your input. Do not include whitespaces.
account Azure App Account The Azure App Account from which you want to gather data. Do not include whitespaces.
subscription_id Subscription ID The instance queries that manage events belonging to this subscription. The subscription ID is the one you configured in Microsoft account
resource_type Resource Type Use Splunk Web to select from the following: Disk Data, Image Data, Network Interface Card, Public IP Address, Resource Graph, Resource Groups, Security Groups, Snapshot Data, Subscriptions, Topology, Virtual Machine and Virtual Network, or set resource_type to disk_data, image_data, network_interface_card, public_ip_address, resource_graph, resource_groups, security_groups, snapshot_data, subscriptions, topology, virtual_machine, virtual_network in the configuration file.

If network_watcher_name, network_watcher_resource_group and target_resource_groupare provided, the Topology resource type is considered as Topology (manual) otherwise it is considered as Topology (auto).

Note: If you need to update this field, create a new input.
resource_group_list Resource Group List The resource group list is defined by subscription ID and resource type. If left blank, this add-on queries all resource lists under the subscription ID and the resource type you selected. You can add multiple resource group list separated by commas.
network_watcher_name Network Watcher Name Network Watcher to provide access to topology data. This field is used with Topology resource type.
network_watcher_resource_group Network Watcher Resource Group Specify the Resource Group containing the Network Watcher. This field is used with Topology resource type.
target_resource_group Target Resource Group Specify the Resource Group to enumerate topology. This Resource Group should be in the same region as the Network Watcher. This field is used with Topology resource type.
resource_graph_query Resource Graph Query The resources query. Example: project id, name, type, location, tags | limit 10. This field is used with Resource Graph resource type.
interval Interval The number of seconds to wait before the Splunk Platform runs the command again. The default is 3600 seconds.
index Index The index where the Microsoft Cloud Services data is stored.