Configure Azure Virtual Machine metrics modular inputs for Splunk Add-on for Microsoft Cloud Services¶
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web as a best practice, or by using configuration files.
Prerequisites¶
Before you enable inputs, complete the previous steps in the configuration process:
- Configure a Storage Account in Microsoft Cloud Service
- Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You cannot configure Table List, Interval, or Sourcetype using Splunk Web.
- In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
- Select Create New Input and select Azure Storage Table.
- Select Input type as Virtual Machine Metrics and enter the Name, Storage Account, Start Time and Index using the Input parameters.
- Select Add.
Configure inputs using configuration file¶
- Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
-
Configure Azure virtual machine metrics inputs with the following stanza:
[mscs_storage_table://<input_name>] account = <value> storage_table_type = vm_metrics table_list = WADMetricsPT1M* start_time = <value> index = <value> collection_interval = 60 sourcetype = mscs:vm:metrics -
Save and restart Splunk platform.
Input parameters¶
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
mscs_storage_table://<input_name> |
Name | A friendly name for your input. Name cannot contain any whitespace. |
account |
Azure Storage Account | Choose a Storage Account you have configured. Account name cannot contain any whitespace. |
table_list |
Table List | Enter a table list name under the storage account. You cannot change the Table List name in Splunk Web, which is WADMetricsPT1M*. Note: The best practice is to keep the default value WASMetricsPT1M* in the table list. |
start_time |
Start Time | The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g., 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone. |
collection_interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 60 seconds, and you cannot change this interval in Splunk Web. If you want to change the interval time, you have to configure it using the configuration file. Note: If you want to use ITSI data models, the best practice is to set the interval to 60 seconds. |
index |
Index | The index in which to store Azure Storage Table data. |
sourcetype |
Sourcetype | The default is mscs:vm:metrics. You cannot change the sourcetype in Splunk Web. If you want to change the sourcetype, you have to configure it using the configuration file. |
storage_table_type |
Input Type, with Virtual Machine Metrics as the selection value. | Choose data input as Virtual Machine Metrics. |