Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files. Before you enable inputs, complete the previous steps in the configuration process:

Azure Event Hub prerequisites

Perform the following prerequisites before configuring an event hub input.

  • Configure an Azure Event Hub for each log category in Azure, such as Azure Active Directory (AAD), Resource, and Activity. For more information, see the Quickstart: Create an event hub using Azure portal topic in the Microsoft Event Hubs documentation for more information.
  • Authorize access to Azure Event Hubs, by giving Azure Event Hubs Data Receiver permissions to each applicable Azure application. See the Authorize access to Azure Event Hubs topic in the Microsoft Event Hubs documentation for more information.
  • Splunk Cloud customers who are installing this add-on on the Inputs Data Manager (IDM) and want to collect event hub data, must open a Splunk support case to update your stack's Access Control List (ACL) to allow for the outbound ports 5671/tcp and 5672/tcp (Advanced Message Queuing Protocol (AMQP) specification) to connect to their target Azure address. By default IDM's can only go out on port 443.

On your Azure deployment, a scaling best practice is to configure a ratio of at least one event hub throughput unit for each partition. For example, if you have 20 throughput units, the best practice is to configure 20 partitions. For more information on event hub throughput scalability, see the Scaling with Event Hubs topic in the Microsoft Azure documentation.

On the Splunk software side, the number of event hub inputs that you create as consumers on an event hub must be less than or equal to the number of partitions that you have on the event hub. For more information, see the Event Hubs topic in the Microsoft Azure documentation.

The Splunk Add-on for Microsoft Cloud Services does not support multiple Inputs Data Managers (IDMs) or heavy forwarders reading from a single Event Hub.

The Azure EventHubs input for the Splunk Add-on for Microsoft Cloud Services is not compatible with the Event Hubs input in the Microsoft Azure Add-on for Splunk, when listening to the same Event Hub namespace. The Event hubs input in the Microsoft Azure Add-on for Splunk needs to be disabled for this input to run.

Horizontal Scaling Across Multiple Splunk Environment

Version 5.0.0 and higher of the Splunk Add-on for Microsoft Cloud Services supports multiple Eventhub inputs configuration across multiple Splunk environments to collect data from the same Azure Eventhub using the Storage Blob checkpoint store mechanism. To use the horizontal scaling, while creating the Eventhub input, enter "Enable Blob Checkpoint Store", "Azure Storage Account" and "Container Name".

Prerequisites

Risks

  • There is a small chance of data duplication, up to 5%.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
  2. Click Create New Input and then select Azure Event Hub.
  3. Enter the Name, Azure App Account, Event Hub namespace, Event Hub name, Consumer group, Max Wait Time, Max Batch Size, Transport Type, Interval and Index , "Enable Blob Checkpoint Store" then enter "Container Name", and "Storage Account" using the information in the following input parameter table.


Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf , if it does not already exist.
  3. Add the following stanza for eventhub input:
    [<input_stanza_name>]              
    account = <value>
    blob_checkpoint_enabled = <value>
    storage_account = <value>
    container_name = <value>
    consumer_group = <value>
    event_hub_name = <value>
    event_hub_namespace = <value>
    container_name = <value>
    index = <value>
    interval = <value>
    max_batch_size = <value>
    max_wait_time = <value>
    use_amqp_over_websocket = 1
    sourcetype = mscs:azure:eventhub
    Storage_account = <value>
    
  4. Save and restart the Splunk platform.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute Corresponding field in Splunk Web Description
input_stanza_name Name A friendly name for your input.
account Azure Account The Azure App account from which you want to collect data.
consumer_group Consumer Group The Azure Event Hub Consumer Group.
event_hub_name Event Hub Name The Azure Event Hub Name.
event_hub_namespace Event Hub Namespace (Fully Qualified Domain Name (FQDN)) The Azure Event Hub Namespace (FQDN). On portal.azure.com, on your Event Hubs Namespace page, the event_hub_namespace is displayed as Host Name in the Essentials section. It will have the following formatting: <name of your namespace>.servicebus.windows.net.


index Index The index in which to store Azure Event Hub data.
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
max_batch_size Max Batch Size The maximum number of events to retrieve in one batch. The default is 300.
max_wait_time Max Wait Time The maximum interval in seconds that the event processor will wait before processing. The default is 300 seconds.
use_amqp_over_websocket Transport Type The switch that allows use of Advanced Message Queuing Protocol (AMQP) over WebSocket. The default is AMQP over WebSocket.

Eventhub input does not support "Transport Type" as "AMQP" in Splunk Cloud.


sourcetype Sourcetype Select the respective sourcetype based on the configured event hub. Supported sourcetypes as mscs:azure:eventhub, azure:monitor:aad, azure:monitor:resource and azure:monitor:activity. The default sourcetype is mscs:azure:eventhub
blob_checkpoint_enabled Enable Blob Checkpoint Store Enable storage blob as checkpoint for eventhub input

It is important to note that if you use this option, there will be no backward compatibility for the File Checkpoint. If this option is checked once, and then disabled in future; there will be data duplication.

storage_account Azure Storage Account The Azure Storage account in which Container is created to store eventhub checkpoint.
container_name Container Name Enter the container name under the storage account. You can only add one container name for each input.}
Last modified on 29 March, 2023
PREVIOUS
Enable a saved search
  NEXT
Configure Advanced settings in Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters