Configure Azure Topology inputs for the Splunk Add on for Microsoft Azure - splunk/splunk-add-on-microsoft-azure GitHub Wiki
Before you enable inputs, complete the previous steps in the configuration process:
- Create an Azure AD App Registration
- Connect to your Azure Account with Splunk Add-on for Microsoft Azure
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Azure, click Inputs.
- Click Create New Input and then select Azure Topology (auto) or Azure Topology (manual).
- Enter the Name, Interval, Index, Azure App Account, Tenant ID, Environment, and other parameters using the information in the input parameter table below.
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create or modify a file named
inputs.confunder$SPLUNK_HOME/etc/apps/TA-MS-AAD/local. - For (auto) inputs, add the following stanza:
[azure_topology_automatic://<input_stanza_name>]
azure_app_account = <value>
environment = <value>
index = <value>
interval = <value>
source_type = <value>
subscription_id = <value>
tenant_id = <value>
- For (manual) inputs, add the following stanza:
[azure_topology_man://<input_stanza_name>]
azure_app_account = <value>
environment = <value>
index = <value>
interval = <value>
source_type = <value>
subscription_id = <value>
tenant_id = <value>
network_watcher_name = <value>
network_watcher_resource_group = <value>
target_resource_group = <value>
- Save and restart the Splunk platform.
Verify that the value listed for
azure_app_accountmatches the account entry inta_ms_aad_account.conf.
Each attribute in the following table corresponds to a field in Splunk Web.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
[azure_topology_automatic://input_stanza_name] |
Name | A friendly name for your input. |
azure_app_account |
Azure App Account | The Azure App account from which you want to gather data. |
environment |
Environment | The Azure environment. Valid options are public and gov. |
tenant_id |
Tenant ID | The Azure Active Directory Tenant ID (a.k.a. Directory ID). |
subscription_id |
Subscription ID | The Azure Subscription ID. |
source_type |
Topology Sourcetype | The sourcetype to use for this input. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. |
index |
Index | The index in which to store Azure data. |
Each attribute in the following table corresponds to a field in Splunk Web.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
[azure_topology_man://input_stanza_name] |
Name | A friendly name for your input. |
azure_app_account |
Azure App Account | The Azure App account from which you want to gather data. |
environment |
Environment | The Azure environment. Valid options are public and gov. |
tenant_id |
Tenant ID | The Azure Active Directory Tenant ID (a.k.a. Directory ID). |
subscription_id |
Subscription ID | The Azure Subscription ID. |
source_type |
Topology Sourcetype | The sourcetype to use for this input. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. |
index |
Index | The index in which to store Azure data. |
network_watcher_name |
Network Watcher Name | The name of the Network Watcher to provide access to topology data. |
network_watcher_resource_group |
Network Watcher Resource Group | The Resource Group containing the Network Watcher. |
target_resource_group |
Target Resource Group | The Resource Group containing the topology resources (VMs, Disks, Networks, etc.). This Resource Group should be in the same region as the Network Watcher. |
