Splunk® App for AWS (Legacy)

Release Notes

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade guide for the Splunk App for AWS

When you upgrade from the 4.0.0 version to the 4.1.0 version of the Splunk App for AWS:

  • Upgrade the add-on: The Splunk App for AWS version 4.1.0 requires the Splunk Add-on for AWS version 3.0.0 or later. Upgrade to the new version of the add-on on all search heads and forwarders before using the new version of the app. See About the Splunk Add-on for Amazon Web Services for documentation of the add-on.
  • CloudWatch:
  • Open any previously configured CloudWatch inputs and re-save them.
  • Add the S3 service, not available in the 4.0.0 version of the CloudWatch input, to fully populate the Overview dashboard.
  • If you were previously collecting Billing metrics through CloudWatch and you did so without specifying the US East (N. Virginia), add the US East (N. Virginia) region to continue collecting them.
  • If you previously used the app to configure multiple CloudWatch metrics in the same input, but would prefer to use different granularities and intervals for different metrics, you can now separate these collection jobs into separate inputs.
  • Metadata: The app automatically creates a corresponding Metadata input for any new accounts you configure after you upgrade to this version of the app. However, for any accounts that you had already configured before the upgrade, you need to manually delete and recreate a Metadata input in order to display all your dashboards correctly. For more information about configuring Metadata inputs, see Add a Metadata input for the Splunk App for AWS.
  • For all accounts that you configured prior to upgrading the app which have a Config input associated with them, delete the Metadata input that automatically appears after you upgrade the app. This Metadata input retains the region information that you configured when you created a Config input with this account, and this region information cannot be edited in this input. Create a Metadata input manually for each of these accounts in order to collect metadata from all available regions.
  • For all accounts that you configured prior to upgrading the app, but which you did not use to configure a Config input, no Metadata input will appear. For these accounts, create a Metadata input manually.
  • S3: The S3 input has been redesigned in this release. Check your existing S3 inputs and make updates if:
  • You previously used the whitelist field to specify which keys should be indexed. This parameter is no longer provided in the app's configuration UI, but you can adjust it through the Splunk Add-on for AWS.
  • You previously configured a character set in an S3 input and you need to change it. This parameter is no longer provided in the app's configuration UI, nor is it available in the add-ons configuration UI. However, for backwards compatibility, you can still change this parameter in the configuration files. File a support ticket if you are using Splunk Cloud and cannot access the local/inputs.conf file.
  • You previously collected CloudFront, ELB, or S3 access logs using the S3 input. Edit these inputs to specify the relevant source type for these logs, so they will populate correctly on your dashboards.
  • Config: To take advantage of the new IAM topology layer in the Topology dashboard, go to your AWS Config setup screen in the AWS Management Console and elect to include global resources.
  • Billing: The app now supports collecting Detailed billing reports with resources and tags. If you want to start collecting these reports, edit your existing billing input to add this additional report type to your collection. For more information about configuring detailed billing collection, see Add a Billing input for the Splunk App for AWS.
  • Saved searches: In order to populate all your dashboards correctly, manually run the following saved searches, or wait until the next scheduled time for them to run automatically. For more information about the saved searches included in the app, see Saved searches for the Splunk App for AWS.
  • Config: Topology Data Generator
  • CloudWatch: Topology CPU Metric Generator
  • CloudWatch: Topology Disk IO Metric Generator
  • CloudWatch: Topology Network Traffic Metric Generator
  • CloudWatch: Topology Volume IO Metric Generator
  • CloudWatch: Topology Volume Traffic Metric Generator
  • AWS Billing - Tags
  • AWS Config - Tags
  • AWS Description - Tags


Note: If you are upgrading from a pre-4.X version of the app, see Migrate from an unsupported version of the Splunk App for AWS in the version 4.0.0 documentation.

Last modified on 23 February, 2016
New features for the Splunk App for AWS   Fixed issues for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters