The project provides modules to integrate Azure Data Explorer (on Azure and Microsoft Fabric) with Splunk
a) Export data continuously from Splunk index to ADX using Azure Data Explorer Splunk Addon b) Export data to ADX as a target using Splunk universal forwarder c) A sample Spark job to extract existing data from Splunk indexes to ADX for historical analysis
Prerequisites Before getting started, ensure you have the following prerequisites in place:
- A Splunk instance with the required privileges to install and configure add-ons.
- Access to an Azure Data Explorer cluster.
- Download the Splunk Addon for Azure Data Explorer from the Splunkbase website.
- Log in to your Splunk instance as an administrator.
- Navigate to "Apps" and click on "Manage Apps."
- Click on "Install app from file" and select the downloaded Splunk Addon for Azure Data Explorer file.
- Follow the prompts to complete the installation
- Log in to your Splunk instance.
- Navigate to "Settings" and click on "Indexes."
- Click on "New Index" to create a new index.
- Provide a name for the index and configure the necessary settings (e.g., retention period, data model, etc.).
- Save the index configuration.
- In Splunk dashboard, Enter your search query in the Search bar based on which alerts will be generated and this alert data will be ingested to Azure Data Explorer.
- Click on Save As and select Alert.
- Provide a name for the alert and provide the interval at which the alert should be triggered.
- Select the alert action as "Send to Azure Data Explorer."
- Configure the Azure Data Explorer connection details such as application client Id, application client secret, cluster name, database name, table name.
- Click on Save to save the alert configuration.
- Start monitoring the Azure Data Explorer logs to ensure proper data ingestion.
- Once the alert is triggered in Splunk, the data will be ingested to Azure Data Explorer.
- Verify the data in Azure Data Explorer using the database and table name in the previous step.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.