Data Manager

User Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Data Manager. Click here for the latest version.
Acrobat logo Download topic as PDF

Onboarding for Azure data in Data Manager

Data Manager helps you set up hundreds of Azure accounts for data ingestion into your Splunk Cloud platform deployment.

Stages of onboarding

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

Onboard Azure Active Directory accounts

Onboarding an Azure Active Directory account consists of the following stages:

  1. Azure Admin completes the setup prerequisites by creating an application on the Azure portal.
  2. Configure the Data sources, Tenant ID, Client ID, Client Secret, Event Hub subscription ID, Event Hub region, and Destination.
  3. Deploy the Azure Resource Manager (ARM) Template on your Event Hub subscription.
  4. Click Review Data Input to navigate to the Data Management home page and see your data input.

This image shows an example of a single account onboarding flow.

Onboard Azure Activity Log accounts

Onboarding an Azure Activity Log account consists of the following stages:

  1. Azure Admin completes the setup prerequisites by creating an application on the Azure portal.
  2. Configure the Data sources, Tenant ID,Client ID, Client Secret, Source Subscription IDs, Event Hub Subscription ID, Event Hub Region, and Splunk Index Destination.
  3. Deploy the Azure Resource Manager (ARM) Template on your Event Hub subscription.
  4. Click Review Data Input to navigate to the Data Management home page and see your data input.

This image shows an example of a single account onboarding flow.

Summary of Azure Resource Manager templates

A high-level summary of Azure Resource Manager (ARM) stack templates follows.

The onboarding steps are described in detail within Data Manager. The details are not duplicated here.

  1. Data Manager provides ARM templates to deploy the resources on your Azure deployment that are used to send your Azure data to your Splunk Cloud deployment.
    1. The ARM template creates a new role definition and assigns the role to the Data Manager application (Client ID) registered during on-boarding. This role allows Data Manager to check the status of the deployed resources.
    2. The ARM template enables diagnostic settings on all the resources to collect metrics for debugging. This enables a more expansive diagnostic setting on the Function App to capture info logs output by the Azure Function for debugging. The amount of logs produced is proportionate to the load.
  2. You use the CLI to apply the templates.


Deploy ARM template in test mode

Deploy the ARM template in what-if mode to see what operations will be performed without actually performing them. Running the deployment commands in what-if mode will allow you to preview the changes that will be made.

  • If using the CLI, add another argument what-if at the beginning of the command. For example: az deployment sub create what-if ...
  • If using PowerShell, add another argument -Whatif to the New-AzSubscriptionDeployment command. For example: New-AzSubscriptionDeployment -Whatif ...

Summary of ARM template resources

The following table displays the resources that are deployed on your Azure deployment by the ARM template.

Resource name Description
Azure Resource Group A resource group is created to contain all of the resources that are deployed. Alternatively, the user can specify an existing resource group.
Azure Event Hub An Azure-specific big data streaming platform and event ingestion service.
Azure Function A serverless compute service that runs code on demand, without needing to host it on a server and managing infrastructure.
Azure Storage Account A storage account contains Azure Storage data objects, including storage blobs. The storage account provides a unique namespace for your Azure Storage data.
Azure Role The Data Manager ARM template deploys a role to give the service principal created permissions that are used to read the metadata of the Azure Subscription and Azure resources that are created during the deployment of the ARM template. These resources, such as the Event Hub Namespace and Storage Account, are used by Data Manager to make recommendations during onboarding.
Last modified on 07 September, 2022
PREVIOUS
Azure prerequisites for Data Manager
  NEXT
Verify the data input for Azure in Data Manager

This documentation applies to the following versions of Data Manager: 1.7.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters