Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Download manual as PDF

Download topic as PDF

Configure Azure Storage Table Modular Input for Splunk Add-on for Microsoft Cloud Services

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
  2. Click Create New Input.
  3. Select Azure Storage Table.
  4. Select Input type as Storage table, and fill out the Name, Azure Storage Account, Table List, Start Time, Interval, Index and Sourcetype fields using the input parameter table below.

Configure inputs using configuration files

  1. Create a file called inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Configure Azure storage table inputs with the following stanza: 
    [mscs:storage:table://<input_name>] 
account = <value>     
collection_interval = <value>
storage_table_type = storage_table
table_list = <value>
start_time = <value> 
index = <value>       
sourcetype = <value>
  3. Save and restart the Splunk platform.

Input Parameters

Attributes Corresponding field in Splunk Web Description
mscs:storage:table://<input_name> Name A friendly name for your input.
account Azure Storage Account Choose a Storage Account you have configured.
table_list Table List The table list under the storage account. You can enter multiple table names separated by commas. You can also use wildcards (*) or regex in the table name. If the table name uses regex syntax, please add a colon in front of the table name. For example: table*, :table\d+.
start_time Start Time The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone.
collection_interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
index Index The index in which to store Azure Storage Table data.
sourcetype Sourcetype The default is mscs:storage:table.


If you want to change the default sourcetype, the Splunk software detects the time field of the event, which may cause errors in the timestamp field. To prevent this issue, configure the timestamp under SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/props.conf.

storage_table_type Input Type, with Storage Table as selection value. Choose data input as Storage Table.
Retrieved from "https://docs.splunk.com/index.php?title=Documentation:AddOns:MSCloudServices:Configureinputs4:released&oldid=1042381"
PREVIOUS
Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services 		  NEXT
Configure Azure Storage Blob Modular Input for Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters