Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Azure API logs saving to _internal index, Why?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure API logs saving to _internal index, Why?
Has anyone else configured the Splunk Add-on for Microsoft Cloud Services and seen issues where the data that's coming in is saving to the _internal index even when you specify an index for the data to send to, e.g. 'azure'??
I'm also getting the following via grep azure /var/log/splunk/splunkd.log
01-06-2019 20:48:11.130 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_audit" in inputs.conf at script (re)start.
01-06-2019 20:48:11.131 -0800 INFO ModularInputs - No stanzas found for scheme "mscs_azure_resource" in inputs.conf at script (re)start.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show what configurations you put in inputs.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf
[mscs_storage_table://Azure_Storage_Table]
disabled = false
account = splunkstorageaccountexample
collection_interval = 3600
index = azure
sourcetype = mscs:storage:table
start_time = 2018-09-29T16:37:05-07:00
table_list = *
[mscs_storage_blob://Azure_Storage_Blob]
disabled = false
account = splunkstorageaccountexample
blob_mode = append
collection_interval = 3600
container_name = splunk
index = azure
sourcetype = mscs:storage:blob
[mscs_storage_table://Azure_VM_Metrics]
disabled = false
account = splunkstorageaccountexample
collection_interval = 60
index = azure
sourcetype = mscs:vm:metrics
start_time = 2018-12-06T16:37:05-07:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Azure_Audit]
account = Azure_App
index = azure
interval = 3600
start_time = 2018-12-06T16:37:05-07:00
subscription_id = [enter subscription_id]
disabled = 0
[Azure_Resource_VM]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_machine
subscription_id = [enter subscription_id]
[Azure_Resource_PublicIP]
account = Azure_App
index = azure
interval = 3600
resource_type = public_ip_address
subscription_id = [enter subscription_id]
[Azure_Resource_NIC]
account = Azure_App
index = azure
interval = 3600
resource_type = network_interface_card
subscription_id = [enter subscription_id]
[Azure_Resource_VirtualNetwork]
account = Azure_App
index = azure
interval = 3600
resource_type = virtual_network
subscription_id = [enter subscription_id]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
