All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Azure API logs saving to _internal index, Why?

johnward4
Communicator
‎01-06-2019 09:27 PM

Has anyone else configured the Splunk Add-on for Microsoft Cloud Services and seen issues where the data that's coming in is saving to the _internal index even when you specify an index for the data to send to, e.g. 'azure'??

I'm also getting the following via grep azure /var/log/splunk/splunkd.log

01-06-2019 20:48:11.130 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_audit" in inputs.conf at script (re)start.
01-06-2019 20:48:11.131 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_resource" in inputs.conf at script (re)start.

0 Karma
Reply

p_gurav
Champion
‎01-07-2019 12:31 AM

Can you show what configurations you put in inputs.conf?

0 Karma
Reply

johnward4
Communicator
‎01-07-2019 10:04 AM

inputs.conf

[mscs_storage_table://Azure_Storage_Table]
disabled = false
account = splunkstorageaccountexample
collection_interval = 3600
index = azure
sourcetype = mscs:storage:table
start_time = 2018-09-29T16:37:05-07:00
table_list = *

[mscs_storage_blob://Azure_Storage_Blob]
disabled = false
account = splunkstorageaccountexample
blob_mode = append
collection_interval = 3600
container_name = splunk
index = azure
sourcetype = mscs:storage:blob

[mscs_storage_table://Azure_VM_Metrics]
disabled = false
account = splunkstorageaccountexample
collection_interval = 60
index = azure
sourcetype = mscs:vm:metrics
start_time = 2018-12-06T16:37:05-07:00

0 Karma
Reply

johnward4
Communicator
‎01-07-2019 10:09 AM

[Azure_Audit]
account = Azure_App
index = azure
interval = 3600
start_time = 2018-12-06T16:37:05-07:00
subscription_id = [enter subscription_id]
disabled = 0

[Azure_Resource_VM]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_machine
subscription_id = [enter subscription_id]

[Azure_Resource_PublicIP]
account = Azure_App
index = azure
interval = 3600
resource_type = public_ip_address
subscription_id = [enter subscription_id]

[Azure_Resource_NIC]
account = Azure_App
index = azure
interval = 3600
resource_type = network_interface_card
subscription_id = [enter subscription_id]

[Azure_Resource_VirtualNetwork]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_network
subscription_id = [enter subscription_id]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...