Updated 2/22/2021: Splunk support to import Azure data has been updated. Please refer to the information on the Splunk Add-On for Microsoft Cloud Services Splunkbase page for more details.
Azure Monitor is a platform service that provides data routing and access for Azure resources. Azure Monitor exposes 3 main types of data:
In order to get this data into Splunk, certain setup steps need to happen on both the Azure side and the Splunk side. My previous blog post, "Splunking Microsoft Azure Monitor Data – Part 1 – Azure Setup," covered the steps necessary on the Azure side for Azure Monitor data collection. This blog post focuses on what needs to happen on the Splunk side.
Fortunately, the Microsoft Azure Add-on for Splunk has inputs for all three types of data mentioned above (plus a lot more). However, there are a few extra steps involved in setting up this add-on. The following is an overview of what we will be detailing in this blog post:
If you were following along in the previous blog post, you would have ended up with a table of saved information like the following:
Application ID | 11111111-1111-1111-1111-111111111111 |
Application Key | 22222222-2222-2222-2222-222222222222 |
Connection string–primary key | Endpoint=sb://ehns.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=1234567890 |
Recall that activity logs and diagnostics logs are going to be routed to an Event Hub by Azure Monitor. In order to access the Event Hub data programmatically, you need an Event Hub name and connection string.
In order to access the Metric data programmatically via the REST API, you need an Azure AD application ID and application key.
After installing the add-on in your Splunk environment, open the add-on and navigate to Inputs > Create New Input > Azure Event Hub
The following screen is presented prompting for input parameters:
We already have the connection string. The next piece of information you need is the Event Hub name. When you create the diagnostic setting on the Azure side, you have the option of specifying an Event Hub name or letting Azure create one for you. If you let Azure create the Event Hub for you, activity and diagnostic logs are typically written to the insights-activity-logs hub.
Here is a search that shows the creation of the Event Hub namespace from the previous blog post:
sourcetype=azure:eventhub operationName="MICROSOFT.EVENTHUB/NAMESPACES/WRITE"
1. Open the add-on and navigate to Configuration > Account > Add
2. Fill in the Application ID for the Client ID and the Application Key for the Client Secret. Then, click the Add button.
Application ID | 11111111-1111-1111-1111-111111111111 |
Application Key | 22222222-2222-2222-2222-222222222222 |
Connection string–primary key | Endpoint=sb://ehns.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=1234567890 |
3. Navigate to Inputs > Create New Input > Azure Metrics
You will be presented with the following screen:
Here is a search displaying Virtual Machine metrics:
sourcetype="azure:metrics" namespace="microsoft.compute/virtualmachines"
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.