Splunking Microsoft Azure Data

AzureThere are a lot of services in Microsoft Azure, and a lot of those services are producing machine data. Hal Rottenberg wrote a post covering several of these services and some ways to integrate Splunk with Microsoft Azure. We recently released a new cross-platform Azure add-on that consumes data for some IaaS and PaaS services. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

The add-on ships with three modular inputs:

  1. Azure Diagnostics – this input collects data from an Azure Storage account that contains virtual machine diagnostic information.
  2. Azure Website Diagnostics – this input collects server and application data for Azure Websites. This data is stored in an Azure Storage account blob storage container.
  3. Azure Audit – this input collects audit data to give insight into who did what and when as well as events that could have an health impact on your Azure environment.

These modular inputs rely on diagnostic data written to an Azure Storage account.  For more information about enabling diagnostic data for your Virtual Machines and Azure Websites, refer to this article.

How to use the Azure data

There are several prebuilt panels included in the add-on to get you started quickly:

Windows Events

  • Azure – top Event IDs (last 24 hours)
  • Azure – Security Event ID Count (last 7 days)
  • Azure – Application Event ID Count (last 7 days)
  • Azure – Event Channel Distribution

Azure Windows Events



  • Azure – Performance – Available Counters
  • Azure – Performance – % Processor Time by Instance
  • Azure – Performance – Memory Available Bytes
  • Azure – Performance – Memory Pages/sec
  • Azure – Performance – Disk Reads/sec
  • Azure – Performance – Disk Write/sec
  • Azure – Performance – Thread Context Switches/sec

Azure Performance


Azure Website

  • Azure – Website – Top Transfers by IP Address
  • Azure – Website – Top Transfers by HTTP Request
  • Azure – Website – Average Request Size
  • Azure – Website – Application Message Level Distribution
  • Azure – Website – Application Message Details

Azure Websites



  • Count by sourcetype


What is coming next?

[UPDATE] Azure Audit logs are now part of the Splunk Add-on for Microsoft Azure.

The next integration slated to roll into this add-on is Azure audit data. This modular input will pull data from the Azure Insights Events API.  The idea here is to be able to tell who did what and when.


Running Splunk in Azure

In addition to collecting data from Microsoft Azure, it is possible to quickly spin up Splunk workloads in Azure. The easiest way to do this is by using the Azure Marketplace. For more information on this, read Roy Arsan’s article about Splunk in the Azure Marketplace.



Downlaod the Azure Add-on on Splunkbase

Azure tag on answers.splunk.com

Azure tag on Splunk blogs

It would be awesome if there was plug in that pulled JSON data right out of EventHubs in to Splunk. For IoT scenarios this would open up logging when there is no possibility of deploying the light forwarders

March 18, 2016

2 Trackbacks

  1. […] Mar 15th, 2016: Jason Conger has announced the beta of the Azure Add-On for […]

  2. […] recently released the Splunk Add-on for Microsoft Azure, which gives you insight into Azure IaaS and PaaS. I am happy to announce that this add-on now […]