I have tried creating inputs for both:
Azure Audit
Azure Resource
I also created the required Azure App Account that is referenced when creating the input. The Azure App Account was created with the required Client ID, Key(Client Secret), and Tenant ID
I have also created Data Inputs by selecting my specific Splunk Add-on such as Microsoft Cloudservice Azure Audit which can be found by going to Setttings > Data Inputs > Splunk Add-on for Microsoft Cloudservice Azure Audit and nothing has worked to get data into my index.
According to the Splunk docs Azure Audit is to be used when trying to pull data from Azure applications that use Azure Application Insights.
Can anyone tell me if they have this working and if so what was configured? All of my Splunk configurations were done through the GUI.
This blog post details all the necessary steps to enable the Audit input -> https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html
Here is a handy search to help troubleshoot:
index=_internal source=*cloudservices* error
Thanks Maciep. I opened a ticket with Azure support and will be with them online today troubleshooting this issue. I will post the information provided today if it gets things working.
Thanks for the video!
Not sure about getting your config to work (we struggle with o365 connection/input with that add-on). But my understanding is that the plan for now at least (ms always seems to be changing it), is to send everything to Azure Monitor. Maybe that's not the case for your data?
But they do have a TA specifically for Azure Monitor now. We struggled getting that add-on to work as well, but the developer was very responsive and helped us through installing/configuring it.
Azure Monitor Add-on For Splunk
And here is their session at .conf this year:
Monitor and Manage Your Cloud Environment with Azure Monitor and Splunk