- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: TA-Azure data inputs configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TA-Azure data inputs configuration
The instructions for configuring data inputs for the TA-Azure imply that there should be additional items under Settings -> Data Inputs. We're not seeing them. We've installed and enabled the TA but can't proceed with the highlighted step (below) from the documentation because neither "Azure Diagnostics" nor "Azure Website Diagnostics" input appears in standard Data Inputs panel.
[ snipped from Azure setup document ]
Setting up Splunk to read Azure diagnostic logs
Within Splunk, click Settings -> Data inputs
Click the "Azure Diagnostics" input or "Azure Website Diagnostics" input
Click on the "New" button to create a new data input
Give the input a unique name
Supply the name of the Azure Storage account containing the log data
Supply the Azure Storage account access key - refer to the section below for details on how to obtain your storage account access key
Is there some other setup item that needs to be performed in order to complete the Data inputs portion for the Azure TA?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ultimately, this was caused because the dbConnect app (v 1.x) contains a datainputstats.html file which was taking precedence over the 6.4.x file with the same name under $SPLUNK_HOME/share/splunk/search_mrsparkle/templates/admin/datainputstats.html
I replaced the html file under the dbx tree with the one from search_mrsparkle, bounced splunkd and all looks good now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of Splunk are you running and what other inputs do you see?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ... Running 6.4.0 and we see the standard 5 items
- Files & directories
- TCP
- UDP
- Scripts
- Database inputs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been working on this most of the day and this is what I found.
Installing the TA on a 6.4.2 system ( upgraded from 6.3.2 ) results in no modifications to the "Settings -> Data Inputs" panel.
In addition, the blog http://blogs.splunk.com/tag/azure/ suggests that we should be seeing a "Local Inputs" header under "Settings -> Data Inputs" ... That's not the case in any of our 6.4.x 'upgraded' infrastructure.
After doing a fresh install of 6.4.2, I now see the "Local Inputs" and Forwarded Inputs headers under "Settings -> Data Inputs" ... I believe that somewhere in the upgrade process, the migration steps performed must have missed the changes required here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe my issue was that the "SplunkLightForwarder" app had been enabled on this host. ( SplunkForwarder was also enabled ) ... I disabled the app, restarted Splunk, and now the Data Inputs panel looks the way it is described in the documentation.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
