
Configure Azure Storage Table Modular Input for Splunk Add-on for Microsoft Cloud Services
Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:
- Configure a Storage Account in Microsoft Cloud Service
- Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Configure inputs using Splunk Web
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
- Click Create New Input.
- Select Azure Storage Table.
- Select Input type as Storage table, and fill out the Name, Azure Storage Account, Table List, Start Time, Interval, Index and Sourcetype fields using the input parameter table below.
Configure inputs using configuration files
- Create a file called
inputs.conf
under$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local
. - Configure Azure storage table inputs with the following stanza:
[mscs:storage:table://<input_name>] account = <value> collection_interval = <value> storage_table_type = storage_table table_list = <value> start_time = <value> index = <value> sourcetype = <value>
- Save and restart the Splunk platform.
Input Parameters
Attributes | Corresponding field in Splunk Web | Description |
---|---|---|
mscs:storage:table://<input_name>
|
Name | A friendly name for your input. |
account
|
Azure Storage Account | Choose a Storage Account you have configured. |
table_list
|
Table List | The table list under the storage account. You can enter multiple table names separated by commas. You can also use wildcards (*) or regex in the table name. If the table name uses regex syntax, please add a colon in front of the table name. For example: table*, :table\d+. |
start_time
|
Start Time | The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone. |
collection_interval
|
Interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. |
index
|
Index | The index in which to store Azure Storage Table data. |
sourcetype
|
Sourcetype | The default is mscs:storage:table .
If you want to change the default sourcetype, the Splunk software detects the time field of the event, which may cause errors in the timestamp field. To prevent this issue, configure the timestamp under |
storage_table_type
|
Input Type, with Storage Table as selection value. | Choose data input as Storage Table. |
PREVIOUS Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services |
NEXT Configure Azure Storage Blob Modular Inputs for Splunk Add-on for Microsoft Cloud Services |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!