Ingest data from Splunk Universal Forwarder to Azure Data Explorer
Important
This connector can be used in Real-Time Intelligence in Microsoft Fabric. Use the instructions in this article with the following exceptions:
- If required, create databases using the instructions in Create a KQL database.
- If required, create tables using the instructions in Create an empty table.
- Get query or ingestion URIs using the instructions in Copy URI.
- Run queries in a KQL queryset.
Splunk Universal Forwarder is a lightweight version of the Splunk Enterprise software that allows you to ingest data from many sources simultaneously. It's designed for collecting and forwarding log data and machine data from various sources to a central Splunk Enterprise server or a Splunk Cloud deployment. Splunk Universal Forwarder serves as an agent that simplifies the process of data collection and forwarding, making it an essential component in a Splunk deployment. Azure Data Explorer is a fast and highly scalable data exploration service for log and telemetry data.
In this article, learn how to use the Kusto Splunk Universal Forwarder Connector to send data to a table in your cluster. You initially create a table and data mapping, then direct Splunk to send data into the table, and then validate the results.
Prerequisites
- Splunk Universal Forwarder downloaded on the same machine where the logs originate.
- An Azure Data Explorer cluster and database. Create a cluster and database.
- Docker installed on the system that runs the Kusto Splunk Universal Forwarder connector.
- A Microsoft Entra service principal. Create a Microsoft Entra service principal.
Create an Azure Data Explorer table
Create a table to receive the data from Splunk Universal Forwarder and then grant the service principal access to this table.
In the following steps, you create a table named SplunkUFLogs with a single column (RawText). This is because Splunk Universal Forwarder sends data in a raw text format by default. The following commands can be run in the web UI query editor.
Create a table:
.create table SplunkUFLogs (RawText: string)Verify that the table
SplunkUFLogswas created and is empty:SplunkUFLogs | countUse the service principal from the Prerequisites to grant permission to work with the database containing your table.
.add database YOUR_DATABASE_NAME admins ('aadapp=YOUR_APP_ID;YOUR_TENANT_ID') 'Entra service principal: Splunk UF'
Configure the Splunk Universal Forwarder
When you download Splunk Universal Forwarder, a wizard opens to configure the forwarder.
In the wizard, set the Receiving Indexer to point to the system hosting the Kusto Splunk Universal Forwarder connector. Enter
127.0.0.1for the Hostname or IP and9997for the port. Leave the Destination Indexer blank.For more information, see Enable a receiver for Splunk Enterprise.
Go to the folder where Splunk Universal Forwarder is installed and then to the /etc/system/local folder. Create or modify the inputs.conf file to allow the forwarder to read logs:
[default] index = default disabled = false [monitor://C:\Program Files\Splunk\var\log\splunk\modinput_eventgen.log*] sourcetype = modinput_eventgenFor more information, see Monitor files and directories with inputs.conf.
Go to the folder where Splunk Universal Forwarder is installed and then to the /etc/system/local folder. Create or modify the outputs.conf file to determine the destination location for the logs, which is the hostname and port of the system hosting Kusto Splunk Universal Forwarder connector:
[tcpout] defaultGroup = default-autolb-group sendCookedData = false [tcpout:default-autolb-group] server = 127.0.0.1:9997 [tcpout-server://127.0.0.1:9997]For more information, see Configure forwarding with outputs.conf.
Restart Splunk Universal Forwarder.
Configure the Kusto Splunk Universal connector
To configure the Kusto Splunk Universal connector to send logs to your Azure Data Explorer table:
Download or clone the connector from the GitHub repository.
Go to the base directory of the connector:
cd .\SplunkADXForwarder\Edit the config.yml to contain the following properties:
ingest_url: <ingest_url> client_id: <ms_entra_app_client_id> client_secret: <ms_entra_app_client_secret> authority: <ms_entra_authority> database_name: <database_name> table_name: <table_name> table_mapping_name: <table_mapping_name> data_format: csvField Description ingest_urlThe ingestion URL for your Azure Data Explorer cluster. You can find it in the Azure portal under the Data ingestion URI in the Overview tab of your cluster. It should be in the format https://ingest-<clusterName>.<region>.kusto.windows.net.client_idThe client ID of your Microsoft Entra application registration created in the Prerequisites section. client_secretThe client secret of your Microsoft Entra application registration created in the Prerequisites section. authorityThe ID of the tenant that holds your Microsoft Entra application registration created in the Prerequisites section. database_nameThe name of your Azure Data Explorer database. table_nameThe name of your Azure Data Explorer destination table. table_mapping_nameThe name of the ingestion data mapping for your table. If you don't have a mapping, you can omit this property from the configuration file. You can always parse data into various columns later. data_formatThe expected data format for incoming data. The incoming data is in raw text format, so the recommended format is csv, which maps the raw text to the zero index by default.Build the docker image:
docker build -t splunk-forwarder-listenerRun the docker container:
docker run -p 9997:9997 splunk-forwarder-listener
Verify that data is ingested into Azure Data Explorer
Once the docker is running, data is sent to your Azure Data Explorer table. You can verify that the data is ingested by running a query in the web UI query editor.
Run the following query to verify that data is ingested into the table:
SplunkUFLogs | countRun the following query to view the data:
SplunkUFLogs | take 100