Integrate Microsoft Azure monitoring with Splunk Observability Cloud
Microsoft Azure integration connects Splunk Observability Cloud data collection with Microsoft Azure monitoring.
When you send an API request, you need to use the endpoint specific to your organization's realm. To learn more, see Realms in endpoints.
Create an integration using the API
You need to be an Admin in Splunk Observability Cloud to create a Microsoft Azure integration.
Azure prerequisites
To create the integration, you need the following Microsoft Azure information, which you can get fom the Azure website.
- tenantID
- appID
- secret key
You also need the list of subscription IDs you want to monitor in Splunk Observability Cloud. For detailed instructions on how to configure Microsoft Azure and how to get the necessary information, see the Connect to Azure and send data to Splunk Observability Cloud topic in the Splunk Observability Cloud user documentation.
Create the integration object
After you have the Azure information, create the Azure integration object using the operation POST https://api.<REALM>.signalfx.com/v2/integration
.
To authenticate this request, you need to specify a session token associated with a user who is an administrator. To learn > more about authentication tokens, see Authentication Tokens.
The following curl
command shows you how to create the integration:
$ curl \ --request POST \ --header "X-SF-TOKEN: <ADMIN_SESSION_TOKEN>" \ --header "Content-Type: application/json; charset=utf8" \ --data '{ "type" : "Azure", "name" : "<INTEGRATION_NAME>",
...
The response body for a successful request is similar to the following:
{ "type": "Azure", "name" : "<INTEGRATION_NAME>", "pollRate" : 60000, "services" : [], "id" : "<INTEGRATION_ID>", "tenantId" : "<YOUR_TENANT_ID>", "subscriptions" : ["<SUBSCRIPTION>", "<SUBSCRIPTION>"...] }
To ensure security, the create request adds the
tenantId
,appId
andsecretKey
properties to the integration object but doesn’t returnappId
andsecretKey
in the response.
Tagging
Azure tags have a name and a value.
Be careful when choosing tag names: Splunk Observability Cloud only allows alphanumeric characters, as well as the underscore and minus symbols. Unsupported characters include .
, :
, /
, =
, +
, @
, and spaces, which are replaced by the underscore character.
Create filters using the API
Once you've set up your Azure integration, you can filter by the following:
- Tags (
tag
) - Resource name (
resource_name
) - Resource group name (
resource_group_name
) - Resource subtype (
kind
). Some resources have "subtypes". For example, the resource typeMicrosoft.Web/sites
has two subtypes (or "kind"): web apps and Azure functions. For more information refer to the official Azure documentation.
You need to prefix any of these with azure_
in the filter string: azure_tag
, azure_resource_name
, azure_resource_group_name
or azure_kind
. For example, the tag name of Environment
becomes azure_tag_Environment
when used in the filter string.
Prerequisites
To create filters you'll need the following:
- Azure Subscription ID, found under the Subscriptions section
- Azure Tenant Name
- Azure Secret Value, only visible once during the original setup of the integration
- Azure Application ID, visible in the All Applications list
- Azure Type (
azure
orazure_us_government
). Filtering might only work with valueazure
Set up a new filter
To set up a new filter, perform the following steps:
1. Obtain you Splunk Observability Cloud account info
You need the following information:
- Splunk user access token. See how in Retrieve and manage user API access tokens using Splunk Observability Cloud.
- Realm and Org Id. See how in View your realm, API endpoints, and organization.
2. Retrieve your existing integration details
To retrieve your integration details, run the following curl command:
curl -X GET "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration" \ -H "Content-Type: application/json" \ -H "X-SF-TOKEN: <My Login API Token>"
This step can retrieve multiple integrations so be sure to review and find the one you want to update.
If you have multiple integrations, you can include an Integration ID with the get command to only retrieve data for that specific integration.
curl -X GET "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration/<Integration ID>" \ -H "Content-Type: application/json" \ -H "X-SF-TOKEN: <My Login API Token>"
Use the retrieved data to build the json payload file to update the integration.
3. Create the json payload file
Create a new file, update.json
, with the retrieved information, and adjust the placeholder values as required. Create this file in the same folder where you are running your curl commands.
The filter value is overwritten during the next step, so if you have filters that you need to preserve, use Boolean and/or logic to include those previous filters, as shown in the filter logic below.
{ "type": "Azure", "name": "<Azure Name>", "pollRate": 60000 <use the same pollRate value from previous step>, "subscriptions": [ "<Azure Subscription ID>" ], "secretKey": "<Azure Secret Value>",
...
This example is for a filter using the resource group name:
"resourceFilterRules": [ { "filter": { "source": "filter(\"azure_resource_group_name\", \"integrations-demo\")" } } ]
4. Update the integration
To update the integration with the new filter, use the new json file, update.json
, and run the following command:
curl -X PUT "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration/<Integration ID>" \ -H "Content-Type: application/json" \ -H "X-SF-TOKEN: <My Login API Token>" \ -d @update.json
5. Verify the filter's been updated
Run again the curl command from the Retrieve your existing integration details step to verify the filter value has been updated.
Filter rules
As mentioned above, Azure tags have a name and a value. The name does not support wildcards, the value does.
Filters can use and
and or
clauses, and brackets can be used to force grouping.