Configure the Azure Storage Table modular Input for the Splunk Add-on for Microsoft Cloud Services¶
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Configure parameters to tune the performance of this input. For more information, see Configure Global settings.
Prerequisites¶
Before you enable inputs, complete the previous steps in the configuration process:
- Configure a Storage Account in Microsoft Cloud Service
- Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
- Select Create New Input.
- Select Azure Storage Table.
- Select Input type as Storage table, and fill out the Name, Azure Storage Account, Table List, Start Time, Interval, Index and Sourcetype fields using the Input parameters table.
Configure inputs using configuration files¶
- Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
- Configure Azure storage table inputs with the following stanza:
[mscs:storage:table://<input_name>] account = <value> collection_interval = <value> storage_table_type = storage_table table_list = <value> start_time = <value> index = <value> sourcetype = <value> query_entities_page_size = <value> event_cnt_per_item = <value> query_end_time_offset = <value> agent = <value> - Save and restart the Splunk platform.
Input parameters¶
Attributes |
Corresponding field in Splunk Web |
Description |
|---|---|---|
|
Name |
A friendly name for your input. Name cannot contain any whitespace. |
|
Azure Storage Account |
Choose a Storage Account you have configured. Name cannot contain any whitespace. |
|
Table List |
The table list under the storage account. You can enter multiple table names separated by commas. You can also use wildcards (*) or regular expression in the table name. If the table name uses regular expressions, add a colon in front of the table name. For example: |
|
Start Time |
The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration. For example, 2016-07-15T09:00:00+08:00 collects data from 2016-07-15 09:00:00 in the UTC+8 time zone. |
|
Interval |
The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. |
|
Index |
The index in which to store Azure Storage Table data. |
|
Sourcetype |
The default source type is If you want to change the default source type, Splunk software detects the time field of the event, which can cause errors in the timestamp field. To prevent this issue, configure the timestamp under SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/props.conf. |
|
Input Type |
Choose Storage Table' for the input type. |
|
Entities page size per query |
Amount of entities to be retrieved per page when querying entities from an Storage Table. It helps in controlling the amount of data fetched in each query operation. It overrides the global setting. |
|
Event counts per item |
Amount of entities to be processed and converted into events in a single batch. This attribute helps in controlling the batch size for event processing for Storage Table. It overrides the global setting. |
|
Offset of the query end time |
The offset in seconds from the current time to determine the end time for querying entities. This attribute helps in setting a time window for the data collection process. It overrides the global setting. |
|
Log level |
Change the Log level of an individual input. It overrides the setting of Logging page. |