Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Azure KQL Log Analytics input for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice.

Prerequisites

Complete the following steps in the configuration process:

The Azure Log Analytics KQL input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Azure Log Analytics KQ:=L input in the Microsoft Azure Add-on for Splunk.

During the data collection of the input, memory usage is directly proportional to the total response size of the provided KQL query. If the response size is very large, then it is expected to use high memory.

In each invocation of the input, it will ingest all the events returned by the KQL Query. Configure the input interval field based on how frequently the input should keep getting all its events.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure KQL Log Analytics.
  3. Enter the Name, Azure App Account, Workspace ID, KQL Query, Interval, Index, Sourcetype, Index KQL Statistics and Index Empty Field Values using the information in the following Input parameters.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf, if it does not already exist.
  3. Add the following stanza to the Azure Log Analytics KQL input:
    [mscs_azure_kql://<input_stanza_name>]
    interval = <value>
    index = <value>
    account = <value>
    workspace_id = <value>
    kql_query = <value>
    sourcetype = mscs:kql
    index_stats = 0/1
    index_empty_values = 0/1
    
  4. Save and restart the Splunk platform.

Input parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute Corresponding field in Splunk Web Description
input_stanza_name Name A friendly name for your input. Name cannot contain any whitespace.
account Azure Account The Azure App account from which you want to collect data. Name cannot contain any whitespace.
workspace_id Workspace ID The ID of Azure Log Analytics Workspace on which the provided KQL Query will run.

Sample workspace ID: 12345678-da78-4b5c-a034-22463f5b8639

kql_query KQL Query The KQL Query to run on given workspace.

Sample KQL Query: SigninLogs | project UserDisplayName, Identity

interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.

In each invocation of the input, it will ingest all the events returned by the KQL Query. So configure the input interval field based on how frequently the input should keep getting all the events.

index Index The index in which to store Azure KQL Log Analytics data.
sourcetype Sourcetype The Sourcetype to use for this input.
index_stats Index KQL Statistics If enabled, then input will index a statistics event about the provided KQL query. The term :stats will be appended to the provided Sourcetype for the statistical event.
index_empty_values Index Empty Field Values If enabled, then input will also index KQL Log Analytic event's fields having empty values.

If Index Empty Field Values is not enabled then following example shows how raw event in Log Analytics Workspace will be ingested in Splunk. It will help in reducing event size by excluding empty fields.

Sample Raw Event in Log Analytics Workspace:

{
  "user": "test",
  "email": "email@test.com"
  "location": ""
  "mobile": ""
}

Sample Ingested Event in Splunk:

{
  "user": "test",
  "email": "email@test.com"
}
Last modified on 05 February, 2024
PREVIOUS
Configure Azure consumption (billing) inputs for the Splunk Add-on for Microsoft Cloud Services
  NEXT
Configure a certificate and private key to enable service-to-service calls for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters