Azure resources with no associated tags
Using tags on resources allows an IT department to better organize cloud-based resources. Tags facilitate the identification of assets running specific work loads, department ownership, business process priority, and cost related information. Finding a large inventory of untagged assets is an important input for monitoring and managing tagging policy in the use of cloud based resources. You want to create a search to help your IT department do this.
Data required
Microsoft: Azure resource data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:resource:*"
| dedup id
| foreach tags.*
[| eval newtags = mvappend(coalesce(newtags, ""), "<<MATCHSTR>>"." : ".'<<FIELD>>')]
| eval newtags=coalesce(custom_tag,newtags)
| mvexpand newtags
| eval mysplit = split(newtags, " : ")
| eval tag_name=mvindex(mysplit,0), tag_value=mvindex(mysplit,1)
| fields id tag_name tag_value type
| eval {tag_name}=tag_value
| stats values(*) as * by id type | fields - tag_name tag_value
| fillnull value="Untagged!"
| sort type
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype=mscs:resource:* |
Search only Azure resource data. |
| | dedup id | Obtain the most recent tag(s) per resource. |
| | foreach tags.* [| eval newtags = mvappend(coalesce(newtags, ""), "<<MATCHSTR>>"." : ".'<<FIELD>>')] |
For each tag, evaluate a new field named newtags and format the tags with a colon (:) between the tag name and tag value. |
| | eval newtags=coalesce(custom_tag,newtags) | Update the newtags field with the current value in addition to any values that might exist within the custom_tag field. |
| | mvexpand newtags | Expand values in a multivalue field into separate events, one event for each value in the multivalue field. |
| | eval mysplit = split(newtags, " : ") | Create a field named mysplit and split newtags field with a colon (:) as the delimiter. |
| | eval tag_name=mvindex(mysplit,0), tag_value=mvindex(mysplit,1) | Create the tag_name and tag_value fields. |
| | fields id tag_name tag_value type | Return the fields id, tag_name tag_value and type fields. |
| | eval {tag_name}=tag_value | Make the tag_name field equal the value of tag_value field. |
| | stats values(*) as * by id type | Count by ID and type. |
| | fields - tag_name tag_value | Remove the tag_name and tag_value fields from the results. |
| | fillnull value="Untagged!" | Replaces null values with "Untagged!" |
| | sort type | Sort by type. |
Next steps
This search can serve as input to a potential automation process to assign tags or request owners to formulate and assign tags to their assets. Splunk SOAR could be used for such an automation project by putting the results of the search into a playbook that formats an email to the owner of the untagged asset requiring tagging to be put into place. Azure’s Cloud Adoption Framework contains a decision guide for resource naming and the use of tags.
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.