Install the Splunk Add on for Microsoft Azure - splunk/splunk-add-on-microsoft-azure GitHub Wiki
- Get the Splunk Add-on for Microsoft Azure by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the following tables.
- An Azure tenant for Azure Active Directory inputs
- An active Azure Subscription for subscription-level inputs
- For Azure Active Directory Sign-in data, an Azure Active Directory Premium P1 or P2 edition
- An Azure Active Directory Application Registration
Use the following tables to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk platform component | Supported | Required | Comments |
|---|---|---|---|
| Splunk Cloud | Yes | No | To install the Splunk Add-on for Microsoft Azure on your Splunk Cloud instance, file an installation request with Splunk Cloud Support. |
| Search Heads | Yes | Yes | This add-on contains search-time knowledge. It is recommended to turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. |
| Heavy Forwarders | Yes | No (but recommended) | It is recommended to install this add-on on a heavy forwarder for data collection. Data collection should be configured in only 1 place to avoid duplicates. |
| Indexers | Yes | No | Not required as the parsing operations occur on the forwarders. |
| Universal Forwarders | No | No | Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler. |
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Actions required / Comments |
|---|---|---|
| Search Head Clusters | Yes | Disable add-on visibility on search heads. You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. Before you install this add-on to a cluster, make the following changes to the add-on package, remove the inputs.conf file. |
| Indexer Clusters | Yes | Before you install this add-on to a cluster, make the following changes to the add-on package, remove the inputs.conf file. |
| Deployment Server | No | Supported for deploying unconfigured add-on only. Using a deployment server to deploy the configured add-on to multiple forwarders acting as data collectors causes duplication of data. |
