Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Download manual as PDF

Download topic as PDF

Configure Azure Audit Modular inputs for the Splunk Add-on for Microsoft Cloud Services

Before you enable inputs, complete the previous steps in the configuration process:

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
  2. Click Create New Input and then select Azure Audit.
  3. Enter the Name, Azure Account, Subscription ID, Start Time, Interval and Index using the information in input parameter table below.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. Create a file named mscs_azure_audit_inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Add the following stanza:
    account = <value>
    subscription_id = <value>
    start_time = <value>
    index = <value>
    interval = <value>
  3. Save and restart the Splunk platform.

Verify that the value listed for account matches the account entry in mscs_azure_accounts.conf.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute Corresponding field in Splunk Web Description
input_stanza_name Name A friendly name for your input.
account Azure Account The Azure App account from which you want to gather data.
subscription_id Subscription ID The instance queries the management events belong to this subscription. The subscription ID is the one you configured in Microsoft account requirements.
start_time Start Time The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone.

The maximum start time of Azure Audit inputs is 90 days before the configuration.

interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
index Index The index in which to store Azure audit data.

This documentation applies to the following versions of Splunk® Supported Add-ons: released


The input asks for a "subscription_id", and says configured one here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Hardwareandsoftwarerequirements

The only mention of a subscription_id on that page is in the comments where a Splunk staff member implies they removed the requirement from the documentation.

If knowledge of a subscription_id is still required at this step why has it been removed from the step that would have otherwise ensured we kept record of it?

February 20, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters