.conf25 registration is now open!Register today

 Integrate Microsoft Azure monitoring with Splunk Observability Cloud

Microsoft Azure integration connects Splunk Observability Cloud data collection with Microsoft Azure monitoring.

Info Circle

When you send an API request, you need to use the endpoint specific to your organization's realm. To learn more, see Realms in endpoints.

 Create an integration using the API

You need to be an Admin in Splunk Observability Cloud to create a Microsoft Azure integration.

 Azure prerequisites

To create the integration, you need the following Microsoft Azure information, which you can get fom the Azure website.

  • tenantID
  • appID
  • secret key

You also need the list of subscription IDs you want to monitor in Splunk Observability Cloud. For detailed instructions on how to configure Microsoft Azure and how to get the necessary information, see the Connect to Azure and send data to Splunk Observability Cloud topic in the Splunk Observability Cloud user documentation.

 Create the integration object

After you have the Azure information, create the Azure integration object using the operation POST https://api.<REALM>.signalfx.com/v2/integration.

Info Circle

To authenticate this request, you need to specify a session token associated with a user who is an administrator. To learn > more about authentication tokens, see Authentication Tokens.

The following curl command shows you how to create the integration:

$ curl \
--request POST \
--header "X-SF-TOKEN: <ADMIN_SESSION_TOKEN>" \
--header "Content-Type: application/json; charset=utf8" \
--data
    '{
      "type" : "Azure",
      "name" : "<INTEGRATION_NAME>",
...

The response body for a successful request is similar to the following:

{
    "type": "Azure",
    "name" : "<INTEGRATION_NAME>",
    "pollRate" : 60000,
    "services" : [],
    "id" : "<INTEGRATION_ID>",
    "tenantId" : "<YOUR_TENANT_ID>",
    "subscriptions" : ["<SUBSCRIPTION>", "<SUBSCRIPTION>"...]
}
Info Circle

To ensure security, the create request adds the tenantId, appId and secretKey properties to the integration object but doesn’t return appId and secretKey in the response.

 Tagging

Azure tags have a name and a value.

Be careful when choosing tag names: Splunk Observability Cloud only allows alphanumeric characters, as well as the underscore and minus symbols. Unsupported characters include ., :, /, =, +, @, and spaces, which are replaced by the underscore character.

 Create filters using the API

Once you've set up your Azure integration, you can filter by the following:

  • Tags (tag)
  • Resource name (resource_name)
  • Resource group name (resource_group_name)
  • Resource subtype (kind). Some resources have "subtypes". For example, the resource type Microsoft.Web/sites has two subtypes (or "kind"): web apps and Azure functions. For more information refer to the official Azure documentation.

You need to prefix any of these with azure_ in the filter string: azure_tag, azure_resource_name, azure_resource_group_name or azure_kind. For example, the tag name of Environment becomes azure_tag_Environment when used in the filter string.

 Prerequisites

To create filters you'll need the following:

  • Azure Subscription ID, found under the Subscriptions section
  • Azure Tenant Name
  • Azure Secret Value, only visible once during the original setup of the integration
  • Azure Application ID, visible in the All Applications list
  • Azure Type (azure or azure_us_government). Filtering might only work with value azure

 Set up a new filter

To set up a new filter, perform the following steps:

 1. Obtain you Splunk Observability Cloud account info

You need the following information:

 2. Retrieve your existing integration details

To retrieve your integration details, run the following curl command:

curl -X GET "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration" \
    -H "Content-Type: application/json" \
    -H "X-SF-TOKEN: <My Login API Token>"
Info Circle

This step can retrieve multiple integrations so be sure to review and find the one you want to update.

If you have multiple integrations, you can include an Integration ID with the get command to only retrieve data for that specific integration.

curl -X GET "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration/<Integration ID>" \
    -H "Content-Type: application/json" \
    -H "X-SF-TOKEN: <My Login API Token>"

Use the retrieved data to build the json payload file to update the integration.

 3. Create the json payload file

Create a new file, update.json, with the retrieved information, and adjust the placeholder values as required. Create this file in the same folder where you are running your curl commands.

The filter value is overwritten during the next step, so if you have filters that you need to preserve, use Boolean and/or logic to include those previous filters, as shown in the filter logic below.

{
    "type": "Azure",
    "name": "<Azure Name>",
    "pollRate": 60000 <use the same pollRate value from previous step>,
    "subscriptions": [
        "<Azure Subscription ID>"
    ],
    "secretKey": "<Azure Secret Value>",
...

This example is for a filter using the resource group name:

 "resourceFilterRules": [
    {
      "filter": {
        "source": "filter(\"azure_resource_group_name\", \"integrations-demo\")"
      }
    }
  ]

 4. Update the integration

To update the integration with the new filter, use the new json file, update.json, and run the following command:

curl -X PUT "https://api.<Splunk O11y Realm>.signalfx.com/v2/integration/<Integration ID>" \
    -H "Content-Type: application/json" \
    -H "X-SF-TOKEN: <My Login API Token>" \
    -d @update.json

 5. Verify the filter's been updated

Run again the curl command from the Retrieve your existing integration details step to verify the filter value has been updated.

 Filter rules

As mentioned above, Azure tags have a name and a value. The name does not support wildcards, the value does.

Filters can use and and or clauses, and brackets can be used to force grouping.