/splunk_2_adx

Python demo code to ingest data into and query from an ADX Database.

Primary LanguagePythonMIT LicenseMIT

Splunk-2-ADX (Azure Data Explorer) Data Migration

Python demo using Kusto SDK to ingest to and query from ADX Database (Table|SplunkTableRaw)

How-To:

  1. Log into Azure with the required permissions / access
  2. Create App Registration & Secret from Entra ID
  3. Record Client_ID, Client_Secret, and Tenant_ID from App Registration
  4. Create ADX Cluster
  5. Create a Database within your ADX Cluster
  6. Enable Managed Identity (System) for you ADX Cluster
  7. Within the Database -- Assign "Admin permission" to App Registration
  8. Create Tables, Mapping, and Expand function within ADX Database
  9. Install Python 3.X w/ the Kusto Python SDK (Windows / Linux / MacOS) 
       mkdir adx_demo
   python -m venv adx_demo
   source adx_demo/bin/activate
       pip install azure-kusto-data
   pip install azure-kusto-ingest

Illustration

Ingestion: Kusto Python SDK used to programmatically authenicate & ingest data [data_ingest_all.json]

Sample Data (JSON): data_ingest_all.json F4B8A04B-4A14-4A25-9C99-DB780405A847

B971EE3A-9529-4C7F-A44B-0ADE92ECADC7

ADX Database Query (SplunkTable) via Kusto Python SDK

image

ADX Database Query (SplunkTable) via ADX

image

Create temp table where data will ingest to

.create table SplunkTableRaw (Records:dynamic)

$.FWLogEntry <-> MUST MATCH THE JSON OBJECT GETTING INGESTED FROM THE SOURCE [JSON FILE]!!
FWLogEntry gets MAPPED TO THE "RECORDS" COLUMN of the SplunkTableRaw Table 

// e.g. {"FWLogEntry":{"TimeGenerated":"2024-03-13T18:45:54.9122018Z", "Company":"MFCC-G9-DOG", "Hacker":"Maj JJ Bottles", "Venue":"BSides DC", "Type":"SplunkTable"}}
.create table SplunkTableRaw ingestion json mapping 'SplunkTableMapping' '[{"column":"Records", "Properties":{"Path":"$.FWLogEntry"}}]'
.alter-merge table SplunkTableRaw policy retention softdelete = 0d

Create table (SplunkTable) where the data will reside

.create table SplunkTable (FWLogEntry:dynamic)

Create SplunkTableExpand() function

.create-or-alter function SplunkTableExpand() {
    SplunkTableRaw
    | project Records
}

Apply SplunkTableExpand() function to the SplunkTable

.alter table SplunkTable policy update @'[{"Source": "SplunkTableRaw", "Query": "SplunkTableExpand()", "IsEnabled": true, "IsTransactional": true}]'

If you ever need to drop the SplunkTable or the SplunkTableExpand() Function

//.drop function SplunkTableExpand
//.drop table SplunkTable ingestion json mapping "SplunkTable_JSON_Mapping"

Test data to ingest and ensure the tables, policies, mapping, and expand function is operating correctly.

.ingest inline into table SplunkTable with (format = "json") <| {"FWLogEntry":{"TimeGenerated":"2024-03-13T18:45:54.9122018Z", "Company":"MFCC-G9-DOG", "Hacker":"Maj JJ Bottles", "Venue":"BSides DC", "Type":"SplunkTable"}}

Query SplunkTable

SplunkTable
| extend t = parse_json(FWLogEntry)
| project TimeGenerated=todatetime(t.TimeGenerated), Company=tostring(t.Company), Hacker=tostring(t.Hacker), Venue=tostring(t.Venue), Type=tostring(t.Type)

Enable Continious Export of ADX DBase (Tables) to ADLSv2 (LT storage) via managed identities (system)

Microsoft Source Document: here! image

Acquire schema from an ADX internal table to create an external table via ADLSv2

AF95AC0F-3E1A-4EE8-A470-1FD5D8685FD3_1_201_a