Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
|Splunk platform component||Supported||Required||Comments|
|Search Heads||Yes||Yes||This add-on contains search-time knowledge. It is recommended to turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.|
|Heavy Forwarders||Yes||No (but recommended)||It is recommended to install this add-on on a heavy forwarder for data collection. Data collection should be configured in only 1 place to avoid duplicates.|
|Indexers||Yes||No||Not required as the parsing operations occur on the forwarders.|
|Universal Forwarders||No||No||Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler.|
The API that the Azure Active Directory Sign-in input uses only returns sign-ins that are interactive in nature (where a username/password is passed as part of the auth token) and successful federation sign-ins. To collect sign-in data like non-interactive sign-ins, service principal sign-ins, managed identity sing-ins, etc., stream the Azure Active Directory data to an Event Hub. The Splunk Add-on for Microsoft Cloud Services can be used to retrieve Event Hub data.
The Azure Active Directory Sign-in and Audit inputs in this add-on utilize Azure AD activity reports available in the Microsoft Graph API. Microsoft Graph imposes service-specific limits to prevent the overuse of resources. These limits affect the scalability and throughput of the Azure Active Directory Sign-in and Audit inputs in this add-on. Refer to the identity and access reports service limits for specific imposed limits.
When throttling happens, an HTTP response code 429 is returned. Run the following search to determine if throttling is impacting your data ingestion:
index=_internal 429 client error
When a request is made to Microsoft Graph, only the first 1,000 records are returned. If there are more than 1,000 records available, a continuation token is returned along with the data. In this scenario, Splunk will index the 1,000 records returned and then follow the continuation token to retrieve the next 1,000 records. Each 1,000 record request counts toward the throttling limits.
To overcome throttling and collect non-interactive sign-in data, send Azure Active Directory Sign-in and Audit data to an Event Hub. The Splunk Add-on for Microsoft Cloud Services can be utilized to collect Event Hub data.
Upgrades of the same major version are supported. For example, upgrading from version 2.0.0 to 2.1.0 will work. However, upgrading from version 2.x to 3.x will not work and will cause errors.
Ensure the prerequisites are met above.
Refer to the README.md file included in this package for details.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.