Configure Azure Virtual Machine metrics modular input for Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web as a best practice, or by using configuration files.

Prerequisites

Before you enable inputs, complete the previous steps in the configuration process:

• Configure a Storage Account in Microsoft Cloud Service
• Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You cannot configure Table List, Interval, or Sourcetype using Splunk Web.

1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
2. Select Create New Input and select Azure Storage Table.
3. Select Input type as Virtual Machine Metrics and type the Name, Storage Account, Start Time and Index using the Input parameters.
4. Select Add.

Configure inputs using configuration file

1. Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
2. Configure Azure virtual machine metrics inputs with the following stanza:

   [mscs_storage_table://<input_name>]
   account = <value>
   storage_table_type = vm_metrics
   table_list = WADMetricsPT1M*
   start_time = <value>
   index = <value>
   collection_interval = 60
   sourcetype = mscs:vm:metrics
   

3. Save and restart Splunk platform.

Input parameters

Attribute	Corresponding field in Splunk Web	Description
mscs_storage_table://<input_name>	Name	A friendly name for your input. Name cannot contain any whitespace.
account	Azure Storage Account	Choose a Storage Account you have configured. Account name cannot contain any whitespace.
table_list	Table List	Enter a table list name under the storage account. You cannot change the Table List name in Splunk Web, which is WADMetricsPT1M*. The best practice is to keep the default value WASMetricsPT1M* in the table list.
start_time	Start Time	The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone.
collection_interval	Interval	The number of seconds to wait before the Splunk platform runs the command again. The default is 60 seconds, and you cannot change this interval in Splunk Web. If you want to change the interval time, you have to configure it using the configuration file. If you want to use ITSI data models, the best practice is to set the interval to 60 seconds.
index	Index	The index in which to store Azure Storage Table data.
sourcetype	Sourcetype	The default is mscs:vm:metrics. You cannot change the sourcetype in Splunk Web. If you want to change the sourcetype, you have to configure it using the configuration file.
storage_table_type	Input Type, with Virtual Machine Metrics as the selection value.	Choose data input as Virtual Machine Metrics.