Splunk Addon for Microsoft Azure

Enterprise Applications deployed in Azure typically log data into Azure diagnostic storage tables. This App enables connecting to and retrieving data from Azure diagnostic storage into Splunk for analysis and reporting purposes.

Release Notes

SPLUNK APP FOR MICROSOFT WINDOWS AZURE

About the Splunk App for Microsoft Windows Azure

The Splunk App for Microsoft Windows Azure (hereafter known as the Splunk App for Azure) allows you to get insight on the operation of your Microsoft Windows Azure installation.

How does it work?

The Splunk App for Azure collects data on four Windows Azure diagnostic event types:

  • WADLogs
  • WADEventLogs
  • WADPerformanceCounter
  • WADDiagnostInfrastructure

The app then displays this information in a dashboard which depicts the number of events collected for each diagnostic and when those events came in over an adjustable time period.

New to Splunk?

If this is the first time you have used Splunk, then follow the link to the Splunk documentation topic below. It introduces the most important Splunk concepts you need to understand when installing and using Splunk apps.

The key points to come away with are:

  • All Splunk apps run on the Splunk platform.
  • Understanding how Splunk works will greatly help you understand how Splunk apps work.
  • Installing and configuring the app is only part of the experience - you might need to prepare Splunk before installing your app.
  • Careful planning helps achieve a successful app deployment experience.

Read more at http://docs.splunk.com/Documentation/WindowsApp/latest/User/NewtoSplunk

How this app fits into the Splunk picture

The Splunk App for Azure is one of a variety of apps and add-ons available within the Splunk ecosystem. All Splunk apps and add-ons run on top of a core Splunk installation. You need to install Splunk first, and then install the app and add-on components of the Splunk for Azure app.

For specifics about what you'll install where, read "What a Splunk App for Azure deployment looks like" later in this README.

For details about apps and add-ons, refer to "What are apps and add-ons?" in the core Splunk product documentation.

To download Splunk, visit the download page on splunk.com.

To get more apps and add-ons, visit Splunk Apps (http://apps.splunk.com).

How to find more information about Splunk

If you have questions about the Splunk App for Azure, send an email to microsoft@splunk.com.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you. (http://www.splunk.com/view/professional-services/SP-CAAABH9)

Find more information about Splunk

You've got a variety of options for finding more information about Splunk:

  • The core Splunk documentation (http://docs.splunk.com)
  • Splunk Answers (http://answers.splunk.com)
  • The #splunk IRC channel on EFNET

Before you deploy

Read the following sections on the requirements for deploying the Splunk App for Azure.

Platform and hardware requirements

A Splunk App for Azure installation requires the following components:

  • .NET Framework 4.5 (http://www.microsoft.com/en-us/download/details.aspx?id=30653)
  • The Windows Azure Storage Client dynamic link library (DLL) (WindowsAzure.StorageClient.dll) version 6.0.6002.18488 (from WindowsAzure Storage version 1.7.0.0)
  • The NuGet command-line utility, which allows you to download the above mentioned DLL (http://nuget.org/nuget.exe)

What versions of Splunk does the app support?

All full Splunk instances require version 6.0.1 or later.

All Splunk universal forwarders require version 6.0.1 or later.

What a Splunk App for Azure installation looks like

The Splunk App for Azure installs onto a full Splunk instance or a universal forwarder that runs on Windows. The app connects to Windows Azure using HTTP Representational State Transfer (REST) calls, based on Azure storage name and key credentials you provide.

If you install the Splunk App for Azure onto a forwarder, that forwarder sends Azure diagnostic data to the indexer you specify when you set up the forwarder. It does not host the app - you need a full instance of Splunk to do that. Be sure to read the Distributed Deployment Manual in the core Splunk platform documentation for details on how to plan your application.

How to deploy the Splunk App for Azure

You can install the Splunk App for Azure on a full instance of Splunk or a universal forwarder. To install the app, follow these steps:

Install the Splunk App for Azure onto Splunk version 6.0 and later

If your Splunk App for Azure instance runs Splunk version 6.0, use these instructions to install the app.

  1. On a Windows system, install the .NET Framework version 4.5.

Note: You might need to restart your system after installing this software.

  1. Next, download the NuGet command-line utility (http://nuget.org/nuget.exe) from NuGet Gallery and save it to an accessible location.

  2. Install full Splunk or a universal forwarder onto the system.

Important: If you are installing a universal forwarder, you must configure a receiving indexer or a deployment server for the forwarder to retrieve configurations. Read "Deploy a Windows universal forwarder via the installer GUI" (http://docs.splunk.com/Documentation/Splunk/6.0beta/Deploy/DeployaWindowsdfmanually) in the core Splunk documentation for additional forwarder configuration procedures.

  1. Download the Splunk App for Azure installation package from Splunk Apps and save it to an accessible location.

  2. Unpack the contents of the Splunk App for Azure as follows:

    a. Unpack the SplunkAzure.tar file into %SPLUNK_HOME%\etc\apps.

Note: On a full instance of Splunk, you can also install the Splunk App for Azure by uploading the tar file with Splunk Web.

  1. From a command prompt, change to the directory where you downloaded the NuGet utility above and run the following commands to download and install the Windows Azure Storage Client DLL:

    a. nuget.exe Install WindowsAzure.storage -Version 1.7.0.0

    b. copy C:\WindowsAzure.Storage.1.7.0.0\lib\net35-full\Microsoft.WindowsAzure.StorageClient.dll %SPLUNK_HOME%\etc\apps\SplunkAzure\bin

    Note: Exact directory paths for the DLL might vary; you can use Explorer to find the DLL and move it to your Splunk App for Azure binary directory.

  2. Restart Splunk for the changes to take effect.

Configure the Splunk App for Azure

How you configure the Splunk App for Azure depends on how you have deployed the app.

If you deploy the app on a full Splunk instance, you can use Splunk Web to add and manage Splunk Azure inputs.

If you deploy the app on a forwarder, you must configure the app using a configuration file on the forwarder. Remember that universal forwarders do not have Splunk Web so there is no GUI interface to perform configuration with.

Configure the Splunk App for Azure on a full Splunk instance

  1. Log into the Splunk instance with the Splunk Azure installation.

  2. Access the Spunk Windows Azure Monitor input page.

  3. Select Settings > Data Inputs > Splunk Windows Azure Monitor.

  4. Click New.

  5. In the "Add New" page, enter a unique name that you'll remember in the "Collection Name" field.

  6. In the "Storage Account Name" field, enter your Windows Azure storage account name.

  7. In the "Storage Account Key" field, enter your Windows Azure storage account key.

  8. Under "Input Type", select the Windows Azure diagnostic you want this input to collect data for.

  9. Optionally, set the index that you want the input to send data it collects to by selecting it from the "Index" drop-down.

  10. Click "Save". Splunk saves and enables the input.

Once you have completed these steps, proceed to "Use the Splunk App for Azure" to learn how to access the app.

Configure the Splunk App for Azure on a forwarder

  1. Using a text editor, open %SPLUNK_HOME%\etc\apps\SplunkAzure\local\inputs.conf for editing.

Note: The inputs.conf that comes with the Splunk App for Azure includes sample stanzas which you can modify for your specific Azure configuration. The key attributes you must provide details for are:

storageAccountKey = Your Windows Azure storage account key storageAccountName = Your Windows Azure storage account name type: The type of Windows Azure diagnostic you want to collect data on. It can be one of:

  • WADPerformanceCountersTable
  • WADDiagnosticInfrastructureLogsTable
  • WADLogsTable
  • WADWindowsEventLogsTable

You might need to create inputs.conf in %SPLUNK_HOME%\etc\apps\SplunkAzure\local if it does not exist there.

  1. Add any desired other attributes to the file as needed.

Note: For information about available attributes for inputs.conf, read the inputs.conf spec file page (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf)

  1. Save the file.

  2. Restart Splunk for the changes to take effect.

The Splunk universal forwarder will send Azure diagnostic data that it collects to the indexer you specified when you set up the forwarder.

Use the Splunk App for Azure

In order to use the Splunk App for Azure, you must log into your Splunk instance and access the app.

To log into Splunk Web, use your Web browser to navigate to:

http://hostname:8000

Use the host and port you chose during installation. The default port is 8000.

Access the Splunk App for Azure

Once you've logged in to Splunk Web, you'll see Splunk Home, which lists all the apps that are currently installed. You should see the Search and Getting Started apps, as well as the Splunk App for Azure.

1 ratings