https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399016#M67768 <P>A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.</P> <P>If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).</P> <P>The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.</P> <P>Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.</P> Tue, 26 Jun 2018 22:15:05 GMT jconger 2018-06-26T22:15:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399015#M67767 <P>I would like to know what are the benefits of using <STRONG>Splunk Add-on for Microsoft Cloud Services</STRONG> over <STRONG>installing the Universal Forwarder directly on the VMs</STRONG> ? do I'll get more/ better information by using Splunk Add-on for Microsoft Cloud Services? if yes, what is the differences?<BR /><BR /> In addition, if I'll choose to use Splunk Add-on for Microsoft Cloud Services, does my existing Splunk interface will be changed? does the query method will stay the same? </P> <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 21 Jun 2018 12:34:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399015#M67767 Koko12345678 2018-06-21T12:34:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399016#M67768 <P>A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.</P> <P>If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).</P> <P>The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.</P> <P>Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.</P> Tue, 26 Jun 2018 22:15:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399016#M67768 jconger 2018-06-26T22:15:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399017#M67769 <P>Thank you for your response, appreciate your help!</P> Wed, 27 Jun 2018 07:56:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/what-is-the-best-way-to-use-Splunk-with-Azure-Installing/m-p/399017#M67769 Koko12345678 2018-06-27T07:56:05Z