Configure the Azure Storage Table modular Input for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Prerequisites

Before you enable inputs, complete the previous steps in the configuration process:

• Configure a Storage Account in Microsoft Cloud Service
• Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
2. Select Create New Input.
3. Select Azure Storage Table.
4. Select Input type as Storage table, and fill out the Name, Azure Storage Account, Table List, Start Time, Interval, Index and Sourcetype fields using the Input parameters table.

Configure inputs using configuration files

1. Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
2. Configure Azure storage table inputs with the following stanza:

   [mscs:storage:table://<input_name>]
   account = <value>
   collection_interval = <value>
   storage_table_type = storage_table
   table_list = <value>
   start_time = <value>
   index = <value>
   sourcetype = <value>
   

3. Save and restart the Splunk platform.

Input parameters

Attributes	Corresponding field in Splunk Web	Description
mscs:storage:table://<input_name>	Name	A friendly name for your input. Name cannot contain any whitespace.
account	Azure Storage Account	Choose a Storage Account you have configured. Name cannot contain any whitespace.
table_list	Table List	The table list under the storage account. You can enter multiple table names separated by commas. You can also use wildcards (*) or regular expression in the table name. If the table name uses regular expressions, add a colon in front of the table name. For example: table*, :table\d+.
start_time	Start Time	The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration. For example, 2016-07-15T09:00:00+08:00 collects data from 2016-07-15 09:00:00 in the UTC+8 time zone.
collection_interval	Interval	The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
index	Index	The index in which to store Azure Storage Table data.
sourcetype	Sourcetype	The default source type is mscs:storage:table. If you want to change the default source type, Splunk software detects the time field of the event, which can cause errors in the timestamp field. To prevent this issue, configure the timestamp under SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/props.conf.
storage_table_type	Input Type, with Storage Table as selection value.	Choose Storage Table' for the input type.