Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Azure API logs saving to _internal index, Why?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure API logs saving to _internal index, Why?
Has anyone else configured the Splunk Add-on for Microsoft Cloud Services and seen issues where the data that's coming in is saving to the _internal index even when you specify an index for the data to send to, e.g. 'azure'??
I'm also getting the following via grep azure /var/log/splunk/splunkd.log
01-06-2019 20:48:11.130 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_audit" in inputs.conf at script (re)start.
01-06-2019 20:48:11.131 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_resource" in inputs.conf at script (re)start.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show what configurations you put in inputs.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf
[mscs_storage_table://Azure_Storage_Table]
disabled = false
account = splunkstorageaccountexample
collection_interval = 3600
index = azure
sourcetype = mscs:storage:table
start_time = 2018-09-29T16:37:05-07:00
table_list = *
[mscs_storage_blob://Azure_Storage_Blob]
disabled = false
account = splunkstorageaccountexample
blob_mode = append
collection_interval = 3600
container_name = splunk
index = azure
sourcetype = mscs:storage:blob
[mscs_storage_table://Azure_VM_Metrics]
disabled = false
account = splunkstorageaccountexample
collection_interval = 60
index = azure
sourcetype = mscs:vm:metrics
start_time = 2018-12-06T16:37:05-07:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Azure_Audit]
account = Azure_App
index = azure
interval = 3600
start_time = 2018-12-06T16:37:05-07:00
subscription_id = [enter subscription_id]
disabled = 0
[Azure_Resource_VM]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_machine
subscription_id = [enter subscription_id]
[Azure_Resource_PublicIP]
account = Azure_App
index = azure
interval = 3600
resource_type = public_ip_address
subscription_id = [enter subscription_id]
[Azure_Resource_NIC]
account = Azure_App
index = azure
interval = 3600
resource_type = network_interface_card
subscription_id = [enter subscription_id]
[Azure_Resource_VirtualNetwork]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_network
subscription_id = [enter subscription_id]
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
