All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Azure Monitor Metrics in event hub but not appearing in Splunk

devsupport
Engager
‎01-29-2019 02:30 PM

We configured the Azure Monitor Metrics input and configured diagnostics to send metrics (and logs) to our event hub. We are only seeing 2 amm_resourceTypes when there should be more (ex. Load Balancer). Using Service Bus Explorer, we can see expected metrics data in the event hub.

After reading through the docs on GitHub, I do not see any additional configuration required to pull other Azure resource type metrics. Should the add-on automatically handle all/most resource types?

We're using add-on version 1.3.1.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎01-29-2019 04:06 PM

The Metrics input in the Azure Monitor Ad-on uses a REST API to get the metrics data rather than event hubs (the Activity input and the Diagnostic input do use event hubs though). There are 2 parts to the metrics input:

  1. Configure the input in Splunk (tenant ID, app ID/key, subscription ID, vault information).
  2. Tag the resource(s) you want with a "metrics" tag. The value of the tag should be the metric(s) you want to collect. More information here -> https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Azure#metrics

Here is a good reference on the metics available from Azure Monitor that can be ingested into Splunk -> https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎01-29-2019 04:06 PM

The Metrics input in the Azure Monitor Ad-on uses a REST API to get the metrics data rather than event hubs (the Activity input and the Diagnostic input do use event hubs though). There are 2 parts to the metrics input:

  1. Configure the input in Splunk (tenant ID, app ID/key, subscription ID, vault information).
  2. Tag the resource(s) you want with a "metrics" tag. The value of the tag should be the metric(s) you want to collect. More information here -> https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Azure#metrics

Here is a good reference on the metics available from Azure Monitor that can be ingested into Splunk -> https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...