Skip to content

Configure Stop Azure VM alert for the Splunk Add-on for Microsoft Cloud Services

Use the Stop Azure VM alerts to automatically stop your Azure virtual machines.

Prerequisites

Depending on what you want to do, there are the following prerequisites:

  • To configure the alert action included with the Splunk Add-on for Microsoft Cloud Services, you must either be an administrator or a user with the following capability:

    • list_storage_passwords if you are using Splunk Enterprise 6.5.0 or higher.

    • admin_all_objects if you are using a version of Splunk Enterprise lower than 6.5.0.

  • To configure Azure permissions for Stop Azure VM alert, you need the Virtual Machine Contributor role granted to the Azure App account.

Use the Stop Azure VM alerts

To use the Stop Azure VM alerts for the Splunk Add-on for Microsoft Cloud Services, complete the following steps:

  1. Configure an Azure App account. See Connect to your Azure App Account with the Splunk Add-on for Microsoft Cloud Services for more information.
  2. Set up Azure Resource monitoring input for the Virtual Machine resource type. See Connect to your Azure App Account with the Splunk Add-on for Microsoft Cloud Services for more information.
  3. Create a search query that targets the index you configured in step 2 to get the list of VMs.
  4. Configure the alert action. See the following section for details.

Configure the alert action

Note

The Splunk Add-on for Microsoft Cloud Services supports automatic incident and event creation, and incident update from custom alert actions. Custom alert actions are available in Splunk Enterprise version 6.3.0 and higher.

To create a new incident or event from a custom alert action, follow these steps:

  1. In Splunk Web, go to the Search & Reporting app.
  2. Write a search string that you want to use to retrieve the list of virtual machines and click Save As > Alert.
  3. Enter the alert details. Give your alert a unique name and indicate whether the alert is a real-time alert or a scheduled alert. See Getting started with alerts in the Alerting Manual for more information.
  4. Under Trigger Actions, click Add Actions.
  5. (Optional) If you want the alert to stop your virtual machines, select Stop Azure VM from the list.
  6. Enter values in the required fields. Check the following table for reference:
Field Description
Azure App Account Required. Name of the Azure App account configured within Splunk Add-on for Microsoft Cloud Services.
Resource Group Required. Resource group name of the Azure VM. When set to the default value $result.resource_group$, the value of resource_group is retrieved by the saved search and extracted solely from the search results.
Subscription ID Required. Subscription ID of the Azure VM. When set to the default value $result.subscription_id$, the value of subscription_id is retrieved by the saved search and extracted solely from the search results.
VM Name Required. Name of the VM that you want to be stopped. When set to the default value $result.vm_name$, the value of vm_name is retrieved by the saved search and extracted solely from the search results.