Splunk Addon for Microsoft Azure

Enterprise Applications deployed in Azure typically log data into Azure diagnostic storage tables. This App enables connecting to and retrieving data from Azure diagnostic storage into Splunk for analysis and reporting purposes.

Release Notes

SPLUNK ADD-ON FOR MICROSOFT WINDOWS AZURE

About the Splunk Add-on for Microsoft Windows Azure

The Splunk Add-on for Microsoft Windows Azure (hereafter known as the Splunk Add-on for Azure) allows you to get insight on the operation of your Microsoft Windows Azure installation.

How does it work?

The Splunk Add-on for Azure collects data on four Windows Azure diagnostic event types:

  • WADLogs
  • WADEventLogs
  • WADPerformanceCounter
  • WADDiagnostInfrastructure

New to Splunk?

If this is the first time you have used Splunk, then follow the link to the Splunk documentation topic below. It introduces the most important Splunk concepts you need to understand when installing and using Splunk apps.

The key points to come away with are:

  • All Splunk apps run on the Splunk platform.
  • Understanding how Splunk works will greatly help you understand how Splunk apps work.
  • Installing and configuring the app is only part of the experience - you might need to prepare Splunk before installing your app.
  • Careful planning helps achieve a successful app deployment experience.

Read more at http://docs.splunk.com/Documentation/WindowsApp/latest/User/NewtoSplunk

How this add-on fits into the Splunk picture

The Splunk Add-on for Azure is one of a variety of apps and add-ons available within the Splunk ecosystem. All Splunk apps and add-ons run on top of a core Splunk installation. You need to install Splunk first, and then install the components of the Splunk Add-on for Azure

For specifics about what you'll install where, read "What a Splunk Add-on for Azure deployment looks like" later in this README.

For details about apps and add-ons, refer to "What are apps and add-ons?" in the core Splunk product documentation.

To download Splunk, visit the download page on splunk.com.

To get more apps and add-ons, visit Splunk Apps (http://apps.splunk.com).

How to find more information about Splunk

If you have questions about the Splunk App for Azure, send an email to microsoft@splunk.com.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you. (http://www.splunk.com/view/professional-services/SP-CAAABH9)

Find more information about Splunk

You've got a variety of options for finding more information about Splunk:

  • The core Splunk documentation (http://docs.splunk.com)
  • Splunk Answers (http://answers.splunk.com)
  • The #splunk IRC channel on EFNET

Before you deploy

Read the following sections on the requirements for deploying the Splunk Add-on for Azure.

Platform and hardware requirements

A Splunk Add-on for Azure installation requires the following components:

  • .NET Framework 4.5 (http://www.microsoft.com/en-us/download/details.aspx?id=30653)
  • The Windows Azure Storage Client dynamic link library (DLL) (WindowsAzure.StorageClient.dll) version 6.0.6002.18488 (from WindowsAzure Storage version 1.7.0.0)
  • The NuGet command-line utility, which allows you to download the above mentioned DLL (http://nuget.org/nuget.exe)

What versions of Splunk does the add-on support?

All full Splunk instances require version 6.0.1 or later.

All Splunk universal forwarders require version 6.0.1 or later.

What a Splunk Add-on for Azure installation looks like

The Splunk App for Azure installs onto a full Splunk instance or a universal forwarder that runs on Windows. The app connects to Windows Azure using HTTP Representational State Transfer (REST) calls, based on Azure storage name and key credentials you provide.

If you install the Splunk App for Azure onto a forwarder, that forwarder sends Azure diagnostic data to the indexer you specify when you set up the forwarder.

How to deploy the Splunk App for Azure

You can install the Splunk Add-on for Azure on a full instance of Splunk or a universal forwarder. To install the add-on, follow these steps:

Install the Splunk Add-on for Azure onto Splunk version 6.0 and later

If your Splunk Add-on for Azure instance runs Splunk version 6.0, use these instructions to install the app.

  1. On a Windows system, install the .NET Framework version 4.5.

Note: You might need to restart your system after installing this software.

  1. Next, download the NuGet command-line utility (http://nuget.org/nuget.exe) from NuGet Gallery and save it to an accessible location.

  2. Install full Splunk or a universal forwarder onto the system.

Important: If you are installing a universal forwarder, you must configure a receiving indexer or a deployment server for the forwarder to retrieve configurations. Read "Deploy a Windows universal forwarder via the installer GUI" (http://docs.splunk.com/Documentation/Splunk/6.0beta/Deploy/DeployaWindowsdfmanually) in the core Splunk documentation for additional forwarder configuration procedures.

  1. Download the Splunk App for Azure installation package from Splunk Apps and save it to an accessible location.

  2. Unpack the contents of the Splunk App for Azure as follows:

    a. Unpack the SplunkAzure.tar file into %SPLUNK_HOME%\etc\apps.

Note: On a full instance of Splunk, you can also install the Splunk App for Azure by uploading the tar file with Splunk Web.

  1. From a command prompt, change to the directory where you downloaded the NuGet utility above and run the following commands to download and install the Windows Azure Storage Client DLL:

    a. nuget.exe Install WindowsAzure.storage -Version 1.7.0.0

    b. copy C:\WindowsAzure.Storage.1.7.0.0\lib\net35-full\Microsoft.WindowsAzure.StorageClient.dll %SPLUNK_HOME%\etc\apps\SplunkAzure\bin

    Note: Exact directory paths for the DLL might vary; you can use Explorer to find the DLL and move it to your Splunk App for Azure binary directory.

  2. Restart Splunk for the changes to take effect.

Configure the Splunk Add-on for Azure on a forwarder

  1. Using a text editor, open %SPLUNK_HOME%\etc\apps\SplunkAzure\local\inputs.conf for editing.

Note: The inputs.conf that comes with the Splunk App for Azure includes sample stanzas which you can modify for your specific Azure configuration. The key attributes you must provide details for are:

storageAccountKey = Your Windows Azure storage account key storageAccountName = Your Windows Azure storage account name type: The type of Windows Azure diagnostic you want to collect data on. It can be one of:

  • WADPerformanceCountersTable
  • WADDiagnosticInfrastructureLogsTable
  • WADLogsTable
  • WADWindowsEventLogsTable

You might need to create inputs.conf in %SPLUNK_HOME%\etc\apps\SplunkAzure\local if it does not exist there.

  1. Add any desired other attributes to the file as needed.

Note: For information about available attributes for inputs.conf, read the inputs.conf spec file page (http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf)

  1. Save the file.

  2. Restart Splunk for the changes to take effect.

The Splunk universal forwarder will send Azure diagnostic data that it collects to the indexer you specified when you set up the forwarder.

1 ratings