How to change the Azure Monitor (TA-Azure_Monitor)...

Log_wrangler · ‎07-30-2018

I am having a bit of trouble changing the index = main to index =azure_data.

I installed the TA on a heavy forwarder.
In /opt/splunk/etc/apps/TA-Azure_Monitor/default I see inputs.conf,

[azure_activity_log]
index=main
interval=60
sourcetype=amal:activityLog

I made a copy of inputs.conf to /opt/splunk/etc/apps/TA-Azure_Monitor/local

and modified it to

[azure_activity_log]
index=azure_data
interval=60
sourcetype=amal:activityLog

Then I did a restart... no errors seen on restart or with btool. But no data rolls into the new index = azure_data

The index azure_data was previously created on the indexer, and I have other data from Splunk_TA_microsoft-cloudservices currently rolling into it no problem.

Please advise.

Thank you

jconger · ‎08-09-2018

Is the individual instance input in your inputs.conf overriding the global parameter?

For example, the following in inputs.conf will still send data to the main index:

[azure_activity_log]
index=azure_data
interval=60
sourcetype=amal:activityLog

[azure_activity_log://Azure Monitor Activity Log]
SPNApplicationId = ********
SPNApplicationKey = ********
SPNTenantID = 123456
eventHubNamespace = eh123456
index = main
interval = 60
secretName = 123456
secretVersion = 123456
sourcetype = amal:activityLog
vaultName = kv123456
disabled = 0

adonio · ‎07-30-2018

did you see event from that sourcetype in the main index?
any errors in _internal index?

How to change the Azure Monitor (TA-Azure_Monitor) index from default "main" on a heavy forwarder?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk