Skip to content

Configure Azure KQL Log Analytics input for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice.

Prerequisites

Complete the following steps in the configuration process:

The Azure Log Analytics KQL input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Azure Log Analytics KQL input in the Microsoft Azure Add-on for Splunk.

During the data collection of the input, memory usage is directly proportional to the total response size of the provided KQL query. If the response size is very large, then it is expected to use high memory.

In each invocation of the input, it will ingest all the events returned by the KQL Query. Configure the input interval field based on how frequently the input should keep getting all its events.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure KQL Log Analytics.
  3. Enter the Name, Azure App Account, Workspace ID, KQL Query, Interval, Index, Sourcetype, Index KQL Statistics and Index Empty Field Values using the information in the following Input parameters.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf, if it does not already exist.
  3. Add the following stanza to the Azure Log Analytics KQL input: 
    [mscs_azure_kql://<input_stanza_name>]
interval = <value>
index = <value>
account = <value>
workspace_id = <value>
kql_query = <value>
sourcetype = mscs:kql
index_stats = 0/1
index_empty_values = 0/1
  4. Save and restart the Splunk platform.

Input parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute

Corresponding field in Splunk Web

Description

input_stanza_name

Name

A friendly name for your input. Name cannot contain any whitespace.

account

Azure Account

The Azure App account from which you want to collect data. Name cannot contain any whitespace.

workspace_id

Workspace ID

The ID of Azure Log Analytics Workspace on which the provided KQL Query will run.
Sample workspace ID: 12345678-da78-4b5c-a034-22463f5b8639

kql_query

KQL Query

The KQL Query to run on given workspace.
Sample KQL Query: SigninLogs | project UserDisplayName, Identity

interval

Interval

The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. In each invocation of the input, it will ingest all the events returned by the KQL Query. So configure the input interval field based on how frequently the input should keep getting all the events.

index

Index

The index in which to store Azure KQL Log Analytics data.

sourcetype

Sourcetype

The Sourcetype to use for this input.

index_stats

Index KQL Statistics

If enabled, then input will index a statistics event about the provided KQL query. The term :stats will be appended to the provided Sourcetype for the statistical event.

index_empty_values

Index Empty Field Values

If enabled, then input will also index KQL Log Analytic event's fields having empty values.

If Index Empty Field Values is not enabled then following example shows how raw event in Log Analytics Workspace will be ingested in Splunk. It will help in reducing event size by excluding empty fields.

Sample Raw Event in Log Analytics Workspace:

{
  "user": "test",
  "email": "email@test.com"
  "location": ""
  "mobile": ""
}

Sample Ingested Event in Splunk:

{
  "user": "test",
  "email": "email@test.com"
}