Related Answers
Download topic as PDF
Configure the Azure Storage Table modular Input for the Splunk Add-on for Microsoft Cloud Services
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Prerequisites
Before you enable inputs, complete the previous steps in the configuration process:
- Configure a Storage Account in Microsoft Cloud Service
- Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services
Configure inputs using Splunk Web
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
- Select Create New Input.
- Select Azure Storage Table.
- Select Input type as Storage table, and fill out the Name, Azure Storage Account, Table List, Start Time, Interval, Index and Sourcetype fields using the Input parameters table.
Configure inputs using configuration files
- Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
- Configure Azure storage table inputs with the following stanza:
[mscs:storage:table://<input_name>] account = <value> collection_interval = <value> storage_table_type = storage_table table_list = <value> start_time = <value> index = <value> sourcetype = <value>
- Save and restart the Splunk platform.
Input parameters
| Attributes | Corresponding field in Splunk Web | Description |
|---|---|---|
mscs:storage:table://<input_name>
|
Name | A friendly name for your input. Name cannot contain any whitespace. |
account
|
Azure Storage Account | Choose a Storage Account you have configured. Name cannot contain any whitespace. |
table_list
|
Table List | The table list under the storage account. You can enter multiple table names separated by commas. You can also use wildcards (*) or regular expression in the table name. If the table name uses regular expressions, add a colon in front of the table name. For example: table*, :table\d+.
|
start_time
|
Start Time | The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration. For example, 2016-07-15T09:00:00+08:00 collects data from 2016-07-15 09:00:00 in the UTC+8 time zone. |
collection_interval
|
Interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. |
index
|
Index | The index in which to store Azure Storage Table data. |
sourcetype
|
Sourcetype | The default source type is mscs:storage:table.
If you want to change the default source type, Splunk software detects the time field of the event, which can cause errors in the timestamp field. To prevent this issue, configure the timestamp under SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/props.conf. |
storage_table_type
|
Input Type, with Storage Table as selection value. | Choose Storage Table' for the input type. |
|
PREVIOUS Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services |
NEXT Configure Azure Storage Blob modular inputs for the Splunk Add-on for Microsoft Cloud Services |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!