All Apps and Add-ons

what is the best way to use Splunk with Azure? Installing Universal fowarder on the VMs or use Splunk Add-on for Microsoft Cloud Services?

Koko12345678
Explorer

I would like to know what are the benefits of using Splunk Add-on for Microsoft Cloud Services over installing the Universal Forwarder directly on the VMs ? do I'll get more/ better information by using Splunk Add-on for Microsoft Cloud Services? if yes, what is the differences?

In addition, if I'll choose to use Splunk Add-on for Microsoft Cloud Services, does my existing Splunk interface will be changed? does the query method will stay the same?

Thanks 🙂

Tags (1)
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

View solution in original post

0 Karma

Koko12345678
Explorer

Thank you for your response, appreciate your help!

0 Karma

jconger
Splunk Employee
Splunk Employee

A Universal Forwarder on an Azure VM gives you the most control of what you collect. If your indexer is not in Azure, it could be a challenge as the receiving side of the UF will need to be accessible.

If you just want performance data and Windows Event Logs from your VMS, I think it is easier to use the Splunk Add-on for Microsoft Cloud Services (MSCS). Azure takes care of getting the data into a storage account. The MSCS add-on pulls in this data. Also, accessibility isn't as much of a concern here as the storage accounts are publicly accessible (with a key).

The MSCS add-on has some more inputs that are useful including Audit, Resource, and generic storage. So, a lot of people use a combination of UF and the MSCS add-on and the Azure Monitor add-on too.

Regarding the question about changing your Splunk interface - the add-on is visible as a Splunk app for configuration. No other changes are made. The query method stays the same too.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...