Manage your Azure data inputs

Edit, update, or delete your existing Azure data inputs after onboarding is complete.

After you onboard your Microsoft Azure data sources, you might need to change input settings such as the HEC endpoint or client secret, upgrade the ARM template deployment when a newer version is available, or remove inputs that are no longer needed. Use the tasks in this section to manage your Azure data inputs from the Data Inputs page.

Edit your Azure data inputs for Data Inputs

Consider a scenario where you onboarded data for Microsoft Azure accounts, and you need to to edit your data inputs after onboarding.

Note: If your Client Secret has expired, you will have to enter and submit a valid one. Without a valid Client Secret, you cannot save the edits to your input.
  1. On the Splunk Cloud home page, in the Data Management section of the left pane, select Data Inputs.
  2. On the Data Inputs page, in the Ingest inputs tab, find the Azure data input you want to revise, and select the Edit action.
  3. Make edits to your data input.
  4. Based on the edits to your data input, update the diagnostic settings on your subscriptions.

Update Azure data inputs to the newest ARM template version

Update your Azure data input to the newest ARM template version when Data Inputs detects a version mismatch in your deployed Azure Function.

  • You have an existing Azure data input (Microsoft Entra ID logs or Activity Logs) configured.
  • The input details page displays a yellow warning banner indicating that the ARM template version is out of date.
  • You have access to one of the following environments to run the update command:
    • Azure Cloud Shell in the Azure Portal (Bash or PowerShell mode).
    • A local terminal with the Azure CLI installed.
    • A Windows machine with the Az PowerShell module installed.

Data Inputs monitors the SplunkInputARMVersion resource tag on your Azure resources to determine whether the deployed ARM template version matches the expected version. If the tag is absent or holds an older value, the backend reports a version mismatch and the Update Data Input tab appears on the input panel.

The update commands re-run the ARM template deployment at subscription scope with updated parameters, including the newest function package URL and ARM template URI. The commands are pre-filled with your specific configuration values, such as subscription ID, region, HEC endpoint, HEC token, service principal, and resource tags. No manual adjustment is needed.

  1. Log in to Splunk Cloud and select the Data Inputs app.
  2. On the Data Inputs page, select the Azure data input that displays the version mismatch warning.
  3. On the input details page, select the Update Data Input tab.

    This tab appears only when the deployed ARM template version is outdated. It is displayed alongside the Data Input Details and Azure Setup Details tabs.

  4. Choose the update command that matches your environment:
    Command type When to use
    Azure CLI Run from Azure Cloud Shell (Bash mode) or any terminal where the Azure CLI is installed.
    PowerShell Run from Azure Cloud Shell (PowerShell mode) or a Windows machine with the Az PowerShell module installed.
  5. Select the copy button next to the code block to copy the pre-filled command.
  6. Open your chosen command-line environment and paste the command, then run it.

    The command runs in two parts. The first part sets the active subscription context. The second part deploys the ARM template at subscription scope with the updated parameters. The ARM template URI is selected automatically based on your input type (Microsoft Entra ID logs or Activity Logs).

    Note: The update command does not include a function trigger sync step. That step is required only on initial deployment when the Function App is first provisioned. For an in-place version upgrade, the Function App is already running and its triggers are already registered.
  7. Wait for the deployment to complete successfully.

After a successful update, the version mismatch warning is cleared from the input details page. The SplunkInputARMVersion resource tag on your Azure resources reflects the newest ARM version. You can verify the update by checking the deployment status on the input details page or by inspecting the resource tags directly in the Azure Portal.

Delete an Azure data input

Before deleting this data input configuration, you need to clean up the Azure setup. The Azure cleanup process cannot be canceled or paused, while in progress.

Delete an Azure Activity Logs input

You can delete your Microsoft Entra ID data inputs from the Azure CLI or from the Powershell CLI using the steps in the Data Inputs app.

  1. Clean up your Azure resources configurations.
  2. Select Delete Data Input to delete your data input.

Delete a Microsoft Entra ID input

You can delete your Azure Activity Logs data inputs from the Powershell CLI.

  1. Delete the diagnostic settings from your Azure Portal.
  2. Clean up your Azure resources configurations.
  3. Select Delete Data Input to delete your data input.

Delete an Azure Event Hub input

You can delete Azure Event Hub data inputs using the graphical user interface of Data Inputs.

  1. On the Data Inputs home page, in the Ingest inputs tab, find the Azure data input that you want to delete.
  2. Select the Delete action.
  3. In the Delete Data Input dialog, select Delete Input.
Note: Data from a deleted input remains available.