Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Log Analytics logs from Azure

Path Finder

What is the best way to import Log Analytics logs from Azure to Splunk  ?

is there anyway to do it without using Even Hub  ? 


we are using Splunk Enterprise Version:7.3.4

we also have Heavy forwarder Splunk Enterprise Version:8.1

Labels (1)
0 Karma


Hi @rayar 

The best way to collect data from azure is: the splunk add-on for microsoft clouds  services and microsoft azure add-on for splunk

Anyway you can collect the log list below with a short description, you can collect many souces via rest or eventhub depend on the log type.

  • Activity data [REST] or [Event Hub]: This is basically who did what and when.  For example, if I log on to the Azure portal and create a new VM, the VM creation action is captured in an activity log.
  • Resource data [REST]: This data source covers what services you use.  If you think of the activity data as "something happened", think of the resource data as "something exists".  For example, Virtual Machines, storage accounts, public IP addresses, etc. are all resources.
  • Authentication data [REST] or [Event Hub]: This is pretty self-explanatory, but I will point out that you can get things like multi-factor authentication data, self-service password reset data, conditional access policy data, and a whole set of Azure Active Directory data.
  • NSG flow logs [Storage account]: This source is like a network trace including source and destination IP addresses, ports, protocols, etc. For more information on this topic, check out this blog post.
  • Web Application and App Insights [Storage account]: Web Application data includes web server data (hosted or shared) as well as your web application data. App Insights is APM data.
  • Cost and consumption [REST]: This data source contains details on what services you are using and how much that usage costs. This data can also include VM reservation recommendations to save you money on your VM spend.
  • Alerts [REST] or [Event Hub]: Both service and security alerts are available as part of the activity log.  An example of a service alert may be a degradation of a service in a region. For example, if storage services were impacted in a region you use, that alert and relevant messages would be available. To give you an example of a security alert, Microsoft may send an alert that you only have one global admin.
  • Metrics [REST]: Azure makes a plethora of metrics available.  The entire list of available metrics is available from Microsoft here.
Tags (2)

Path Finder

thanks , we have both APPs installed , what type of input we should use for LogAnalytics ?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!