Onboarding for Azure data in Data Manager
Data Manager helps you quickly set up hundreds of Azure accounts for data ingestion into your Splunk Cloud deployment.
Stages of onboarding
The onboarding steps are described in detail within Data Manager. The details are not duplicated here.
Onboard Azure Active Directory accounts
Onboarding an Azure Active Directory account consists of the following stages:
- Azure Admin completes the setup prerequisites by creating an application on the Azure portal.
- Configure the Data sources, Tenant ID, Client ID, Client Secret, Event Hub subscription ID, Event Hub region, and Destination.
- Deploy the Azure Resource Manager (ARM) Template on your Event Hub subscription.
- Click Review Data Input to navigate to the Data Management home page and see your data input.
Onboard Azure Activity Log accounts
Onboarding an Azure Activity Log account consists of the following stages:
- Azure Admin completes the setup prerequisites by creating an application on the Azure portal.
- Configure the Data sources, Tenant ID,Client ID, Client Secret, Source Subscription IDs, Event Hub Subscription ID, Event Hub Region, and Splunk Index Destination.
- Deploy the Azure Resource Manager (ARM) Template on your Event Hub subscription.
- Click Review Data Input to navigate to the Data Management home page and see your data input.
Summary of Azure Resource Manager templates
A high-level summary of Azure Resource Manager (ARM) stack templates follows.
The onboarding steps are described in detail within Data Manager. The details are not duplicated here.
- Data Manager provides ARM templates to deploy the resources on your Azure deployment that are used to send your Azure data to your Splunk Cloud deployment.
- The ARM template creates a new role definition and assigns the role to the Data Manager application (Client ID) registered during on-boarding. This role allows Data Manager to check the status of the deployed resources.
- The ARM template enables diagnostic settings on all the resources to collect metrics for debugging. This enables a more expansive diagnostic setting on the Function App to capture info logs output by the Azure Function for debugging. The amount of logs produced is proportionate to the load.
- You use the CLI to apply the templates.
Deploy ARM template in test mode
Deploy the ARM template in what-if
mode to see what operations will be performed without actually performing them. Running the deployment commands in what-if
mode will allow you to preview the changes that will be made.
- If using the CLI, add another argument what-if at the beginning of the command. For example:
az deployment sub create what-if ...
- If using PowerShell, add another argument -Whatif to the New-AzSubscriptionDeployment command. For example:
New-AzSubscriptionDeployment -Whatif ...
Summary of ARM template resources
The following table displays the resources that are deployed on your Azure deployment by the ARM template.
Resource name | Description |
---|---|
Azure Resource Group | A resource group is created to contain all of the resources that are deployed. Alternatively, the user can specify an existing resource group. |
Azure Event Hub | An Azure-specific big data streaming platform and event ingestion service. |
Azure Function | A serverless compute service that runs code on demand, without needing to host it on a server and managing infrastructure. |
Azure Storage Account | A storage account contains Azure Storage data objects, including storage blobs. The storage account provides a unique namespace for your Azure Storage data. |
Azure Role | The Data Manager ARM template deploys a role to give the service principal created permissions that are used to read the metadata of the Azure Subscription and Azure resources that are created during the deployment of the ARM template. These resources, such as the Event Hub Namespace and Storage Account, are used by Data Manager to make recommendations during onboarding. |
Azure prerequisites for Data Manager | Verify the data input for Azure in Data Manager |
This documentation applies to the following versions of Data Manager: 1.6.1
Feedback submitted, thanks!