Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files. Before you enable inputs, complete the previous steps in the configuration process:

Azure Event Hub prerequisites

Perform the following prerequisites before configuring an event hub input.

  • Configure an Azure Event Hub in Azure. For more information, see the Quickstart: Create an event hub using Azure portal topic in the Microsoft Event Hubs documentation for more information.
  • Authorize access to Azure Event Hubs, by giving Azure Event Hubs Data Receiver permissions to each applicable Azure application. See the Authorize access to Azure Event Hubs topic in the Microsoft Event Hubs documentation for more information.

On your Azure deployment, a scaling best practice is to configure a ratio of at least one event hub throughput unit for each partition. For example, if you have 20 throughput units, the best practice is to configure 20 partitions. For more information on event hub throughput scalability, see the Scaling with Event Hubs topic in the Microsoft Azure documentation.

On the Splunk software side, the number of event hub inputs that you create as consumers on an event hub must be less than or equal to the number of partitions that you have on the event hub. For more information, see the Event Hubs topic in the Microsoft Azure documentation.

The Splunk Add-on for Microsoft Cloud Services does not support multiple Inputs Data Managers (IDMs) or heavy forwarders reading from a single Event Hub.

The Azure EventHubs input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Event Hubs input in the Microsoft Azure Add-on for Splunk, when listening to the same Event Hub namespace. The Event hubs input in the Microsoft Azure Add-on for Splunk needs to be disabled for this input to run.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
  2. Click Create New Input and then select Azure Event Hub.
  3. Enter the Name, Azure App Account, Event Hub namespace, Event Hub name, Consumer group, Max Wait Time, Max Batch Size, Transport Type, Interval and Index using the information in the following input parameter table.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf , if it does not already exist.
  3. Add the following stanza:
    [<input_stanza_name>]              
    account = <value>
    consumer_group = <value>
    event_hub_name = <value>
    event_hub_namespace = <value>
    index = <value>
    interval = <value>
    max_batch_size = <value>
    max_wait_time = <value>
    use_amqp_over_websocket = 1
    sourcetype = mscs:azure:eventhub
    
  4. Save and restart the Splunk platform.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute Corresponding field in Splunk Web Description
input_stanza_name Name A friendly name for your input.
account Azure Account The Azure App account from which you want to collect data.
consumer_group Consumer Group The Azure Event Hub Consumer Group.
event_hub_name Event Hub Name The Azure Event Hub Name.
event_hub_namespace Event Hub Namespace (Fully Qualified Domain Name (FQDN)) The Azure Event Hub Namespace (FQDN). On portal.azure.com, on your Event Hubs Namespace page, the event_hub_namespace is displayed as Host Name in the Essentials section. It will have the following formatting: <name of your namespace>.servicebus.windows.net.
index Index The index in which to store Azure Event Hub data.
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
max_batch_size Max Batch Size The maximum number of events to retrieve in one batch. The default is 300.
max_wait_time Max Wait Time The maximum interval in seconds that the event processor will wait before processing. The default is 300 seconds.
use_amqp_over_websocket Transport Type The switch that allows use of Advanced Message Queuing Protocol (AMQP) over WebSocket. The default is AMQP over WebSocket.
sourcetype Sourcetype The default sourcetype is mscs:azure:eventhub. If you want to change the default sourcetype, the Splunk software detects the time field of the event, which may cause errors in the timestamp field. To prevent this issue, configure the timestamp in the props.conf file, in the SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/ directory.
Last modified on 16 February, 2022
PREVIOUS
Enable a saved search
  NEXT
Troubleshoot the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters