Getting Data In

TA-Azure data inputs configuration

pkeller
Contributor

The instructions for configuring data inputs for the TA-Azure imply that there should be additional items under Settings -> Data Inputs. We're not seeing them. We've installed and enabled the TA but can't proceed with the highlighted step (below) from the documentation because neither "Azure Diagnostics" nor "Azure Website Diagnostics" input appears in standard Data Inputs panel.

[ snipped from Azure setup document ]

Setting up Splunk to read Azure diagnostic logs

Within Splunk, click Settings -> Data inputs

Click the "Azure Diagnostics" input or "Azure Website Diagnostics" input

Click on the "New" button to create a new data input
Give the input a unique name
Supply the name of the Azure Storage account containing the log data
Supply the Azure Storage account access key - refer to the section below for details on how to obtain your storage account access key

Is there some other setup item that needs to be performed in order to complete the Data inputs portion for the Azure TA?

0 Karma

pkeller
Contributor

Ultimately, this was caused because the dbConnect app (v 1.x) contains a datainputstats.html file which was taking precedence over the 6.4.x file with the same name under $SPLUNK_HOME/share/splunk/search_mrsparkle/templates/admin/datainputstats.html

I replaced the html file under the dbx tree with the one from search_mrsparkle, bounced splunkd and all looks good now.

jconger
Splunk Employee
Splunk Employee

What version of Splunk are you running and what other inputs do you see?

0 Karma

pkeller
Contributor

Thank you ... Running 6.4.0 and we see the standard 5 items

  • Files & directories
  • TCP
  • UDP
  • Scripts
  • Database inputs
0 Karma

pkeller
Contributor

I've been working on this most of the day and this is what I found.

Installing the TA on a 6.4.2 system ( upgraded from 6.3.2 ) results in no modifications to the "Settings -> Data Inputs" panel.

In addition, the blog http://blogs.splunk.com/tag/azure/ suggests that we should be seeing a "Local Inputs" header under "Settings -> Data Inputs" ... That's not the case in any of our 6.4.x 'upgraded' infrastructure.

After doing a fresh install of 6.4.2, I now see the "Local Inputs" and Forwarded Inputs headers under "Settings -> Data Inputs" ... I believe that somewhere in the upgrade process, the migration steps performed must have missed the changes required here.

0 Karma

pkeller
Contributor

I believe my issue was that the "SplunkLightForwarder" app had been enabled on this host. ( SplunkForwarder was also enabled ) ... I disabled the app, restarted Splunk, and now the Data Inputs panel looks the way it is described in the documentation.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...