Configure Azure Storage Blob Modular Inputs for Splunk Add-on for Microsoft Cloud Services
Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services introduced a blob storage duplication solution that conflicts with the event hub input, leading to the following error:
AADSTS7000215: Invalid client secret is provided.
If you do not need the blob storage duplication fix, the best practice is to continue using version 4.1.1 of this add-on instead of upgrading to version 4.1.2.
Before you enable inputs, complete the previous steps in the configuration process:
- Configure a Storage Account in Microsoft Cloud Service
- Connect to your Azure Storage account with the Splunk Add-on for Microsoft Cloud Services
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.
The Azure Storage Blob modular input for Splunk Add-on for Microsoft Cloud Services does not support the ingestion of gzip files. Only plaintext files are supported.
Since the format of the data in Azure Storage Blob channel varies (including text and binary data), the Splunk best practice is to leverage the options for sourcetypes to make the event data more effective. See Overview of Event Processing for more information.
Configure ingestion mode
Configure ingestion mode by selecting a blob mode that aligns with the blob type that you selected while creating the blob in your Azure storage account. See the following table for more information:
|Append||Other (Block or Page)|
Configure inputs using Splunk Web
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
- Click Create New Input and select Azure Storage Blob.
- Enter the Name, Storage Account, Container Name, Blob list, Interval, Index and Sourcetype using the inputs parameters table below.
Configure inputs using Configuration File
- Create a file called
- Configure Azure Storage Blob input with the following stanza:
[mscs_storage_blob://<input_name>]] account = <value> application_insights = <value> blob_mode = <value> collection_interval = <value> container_name = <value> blob_list = <value> exclude_blob_list = <value> decoding = <value> guids = <value> index = <value> log_type = <value> sourcetype = <value> disabled = <value>
Each attribute in the following table corresponds to a field in Splunk Web.
|Attribute||Corresponding field in Splunk Web||Description|
||Name||Enter a friendly name of your inputs.|
||Azure Storage Account||Select the storage account name you configured.|
||Application Insights Check||Indicates whether the Azure storage blob ingests data from |
||Container Name||Enter the container name under the storage account. You can only add one container name for each input.|
||Blob List||Enter the Blob name which you want to collect the data from. You can add multiple blob names separated by commas. If you leave this field empty, this add-on will collect all the blob lists under the Container Name you just configured.
You can enter the specific blob list name, use wildcard or use regex expression in this field.
||NULL||Select blob mode from the following values:|
||Interval||The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.|
||Decoding||Specify the character set of the file, such as UTF-8 or UTF-32. If you leave this field blank, this add-on will use the default character set of the file.|
||Excluded Blob List||Optional. Enter the Blob name that you do not want to collect the data from. You can add multiple blob names separated by commas. The syntax of the Excluded Blob List is the same as Blob List.|
||GUIDs||Indicates the guid identifier used for application insights data with format: <application insights resource name>_<instrumentation key>. Entered as comma separated values. Required if |
||Index||The index in which to store Azure Storage Blob data.|
||Log type||Filters the results to return only blobs whose names begin with the specified log type. Application Insights blob format: |
||Sourcetype||The default is |
If there is a file match the syntax both in Blob List and Exclude Blob List, Exclude Blob List is in higher priority. For example, if there is a blob list name blob1, and it matches the syntax you set in Blob List and Exclude Blob List, this add-on will exclude this list because Exclude Blob List is in higher priority.
Configure Azure Storage Table Modular Input for Splunk Add-on for Microsoft Cloud Services
Configure Azure Virtual Machine Metrics Modular Input for Splunk Add-on for Microsoft Cloud Services
This documentation applies to the following versions of Splunk® Supported Add-ons: released