Configure Azure Compute inputs for the Splunk Add on for Microsoft Azure
Warning
This functionality has moved to the Splunk Add-on for Microsoft Cloud Services.
Before you enable inputs, complete the previous steps in the configuration process:
- Create an Azure AD App Registration
- Connect to your Azure Account with Splunk Add-on for Microsoft Azure
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Azure, click Inputs.
- Click Create New Input and then select Azure Compute.
- Enter the Name, Interval, Index, Azure App Account, Tenant ID, Environment, and other parameters using the information in the input parameter table below.
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create or modify a file named
inputs.confunder$SPLUNK_HOME/etc/apps/TA-MS-AAD/local. - Add the following stanza:
[azure_comp://<input_stanza_name>]
azure_app_account = <value>
collect_image_data = <value>
collect_managed_disk_data = <value>
collect_snapshot_data = <value>
collect_virtual_machine_data = <value>
environment = <value>
image_sourcetype = <value>
index = <value>
interval = <value>
managed_disk_sourcetype = <value>
snapshot_sourcetype = <value>
subscription_id = <value>
tenant_id = <value>
virtual_machine_sourcetype = <value>
- Save and restart the Splunk platform.
Verify that the value listed for
azure_app_accountmatches the account entry inta_ms_aad_account.conf.
Each attribute in the following table corresponds to a field in Splunk Web.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
[azure_virtual_network://input_stanza_name] |
Name | A friendly name for your input. |
azure_app_account |
Azure Account | The Azure App account from which you want to gather data. |
collect_virtual_machine_data |
Collect Virtual Machine Data | Toggle for collecting virtual machine data. |
virtual_machine_sourcetype |
Virtual Network Sourcetype | The sourcetype to use for virtual machine data. |
collect_managed_disk_data |
Collect Managed Disk Data | Toggle for collecting managed disk data. |
managed_disk_sourcetype |
Managed Disk Sourcetype | The sourcetype to use for managed disk data. |
collect_image_data |
Collect Image Data | Toggle for collecting VM image data. |
image_sourcetype |
Image Sourcetype | The sourcetype to use for VM image data. |
collect_snapshot_data |
Collect Snapshot Data | Toggle for collecting VM snapshot data. |
snapshot_sourcetype |
Snapshot Sourcetype | The sourcetype to use for VM snapshot data. |
environment |
Environment | The Azure environment. Valid options are public and gov. |
tenant_id |
Tenant ID | The Azure Active Directory Tenant ID (a.k.a. Directory ID). |
subscription_id |
Subscription ID | The Azure Subscription ID. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. |
index |
Index | The index in which to store Azure data. |
