Skip to content

Configure Azure KQL Log Analytics inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice.

Prerequisites

Complete the following steps in the configuration process:

Note

The Azure Log Analytics KQL input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Azure Log Analytics KQL input in the Microsoft Azure Add-on for Splunk.

Note

During the data collection of the input, memory usage is directly proportional to the total response size of the provided KQL query. If the response size is very large, then it is expected to use high memory.

Note

In each invocation of the input, it ingests all the events returned by the KQL Query. Configure the input interval field based on how frequently the input should keep getting all its events.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure KQL Log Analytics.
  3. Enter the following:
  • Name
  • Azure App Account
  • Workspace ID
  • KQL Query
  • Interval
  • Index
  • Sourcetype
  • Index KQL Statistics
  • Index Empty Field Values

Use the information in the following Input parameters.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf, if it does not already exist.

  3. Add the following stanza to the Azure Log Analytics KQL input:

    [mscs_azure_kql://<input_stanza_name>]
interval = <value>
index = <value>
account = <value>
workspace_id = <value>
kql_query = <value>
sourcetype = mscs:kql
index_stats = 0/1
index_empty_values = 0/1

  4. Save and restart the Splunk platform.

Input parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute Corresponding field in Splunk Web Description
input_stanza_name Name A friendly name for your input. Name cannot contain any whitespace.
account Azure Account The Azure App account from which you want to collect data. Name cannot contain any whitespace.
workspace_id Workspace ID The ID of Azure Log Analytics Workspace on which the provided KQL Query runs.
Sample workspace ID: 12345678-da78-45bc-a034-22463f5b8639
kql_query KQL Query The KQL Query to run on given workspace.
Sample KQL Query: SigninLogs \| project UserDisplayName, Identity
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. In each invocation of the input, it ingests all the events returned by the KQL Query. So configure the input interval field based on how frequently the input should keep getting all the events.
index Index The index in which to store Azure KQL Log Analytics data.
sourcetype Sourcetype The Sourcetype to use for this input.
index_stats Index KQL Statistics If enabled, then input indexes a statistics event about the provided KQL query. The term :stats is appended to the provided Sourcetype for the statistical event.
index_empty_values Index Empty Field Values If enabled, then input also indexes KQL Log Analytic event’s fields having empty values.

If Index Empty Field Values is not enabled then following example shows how raw event in Log Analytics Workspace is ingested in Splunk. It helps in reducing event size by excluding empty fields.

Sample Raw Event in Log Analytics Workspace:
{
"user": "test",
"email": "email@test.com",
"Location": "",
"mobile": ""
}

Sample Ingested Event in Splunk:
{
"user": "test",
"email": "email@test.com"
}