All Apps and Add-ons

what is the best way to use Splunk with Azure? Installing Universal fowarder on the VMs or use Splunk Add-on for Microsoft Cloud Services?

Koko12345678
Explorer

I would like to know what are the benefits of using Splunk Add-on for Microsoft Cloud Services over installing the Universal Forwarder directly on the VMs ? do I'll get more/ better information by using Splunk Add-on for Microsoft Cloud Services? if yes, what is the differences?

In addition, if I'll choose to use Splunk Add-on for Microsoft Cloud Services, does my existing Splunk interface will be changed? does the query method will stay the same?

Thanks 🙂

Tags (1)
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

View solution in original post

0 Karma

Koko12345678
Explorer

Thank you for your response, appreciate your help!

0 Karma

jconger
Splunk Employee
Splunk Employee

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...