You might want a list of resources that have no tags associated with them when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
|
Category |
Name |
Importance |
|
Data |
Azure audit data, resource data, storage table data, and blob data |
Required |
|
Add-on |
Required |
|
|
App |
Recommended |
|
|
Add-on |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
Using tags on resources allows an IT department to better organize cloud-based resources. Tags facilitate the identification of assets running specific work loads, department ownership, business process priority, and cost related information. Finding a large inventory of untagged assets is an important input for monitoring and managing tagging policy in the use of cloud based resources. You want to create a search to help your IT department do this.
- Run the following search:
sourcetype=mscs:resource:*
|search _raw!=*tags*
|dedup id, name, location
|table id, name, location tags.*
|fillnull value="Untagged!"
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype=mscs:resource:* |
Search only Azure resource data. |
|
|search _raw!=*tags* |
Filter the results to only include those where the _raw field does not include “tags”. |
|
|dedup id, name, location |
Remove duplicate results by ID, name, and location. |
|
|table id, name, location tags.* |
Display the results in a table with columns in the order shown. |
|
|fillnull value="Untagged!" |
Fill any null values with “Untagged!” |
Result
Sample results for this search are shown in the table below. This search can serve as input to a potential automation process to assign tags or request owners to formulate and assign tags to their assets. Splunk Phantom could be used for such an automation project by putting the results of the search into a playbook that formats an email to the owner of the untagged asset requiring tagging to be put into place. Azure’s Cloud Adoption Framework contains a decision guide for resource naming and the use of tags.
|
id |
name |
location |
tags.Owner |
tags.Purpose |
tags.service |
|
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/frothly/providers/Microsoft.Network/publicIPAddresses/test-ip |
test-ip |
southcentralus |
Untagged! |
Untagged! |
Untagged! |
|
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/MineMeld/providers/Microsoft.Network/networkInterfaces/networkInterface1 |
networkInterface1 |
southcentralus |
Untagged! |
Untagged! |
Untagged! |
|
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Compute/virtualMachines/Splunk |
Splunk |
australiasoutheast |
Untagged! |
Untagged! |
Untagged! |
|
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/virtualNetworks/bots-vnet |
bots-vnet |
australiasoutheast |
Untagged! |
Untagged! |
Untagged! |
|
/subscriptions/1213b189-13ff-42fe-b370-df6da421bce1/resourceGroups/bots/providers/Microsoft.Network/networkInterfaces/splunk64 |
splunk64 |
australiasoutheast |
Untagged! |
Untagged! |
Untagged! |
Comments
0 comments
Please sign in to leave a comment.