Related Answers
On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy).
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Saved searches for the Splunk App for AWS
The Splunk App for AWS includes the following saved searches.
| Name | Purpose | Action required |
|---|---|---|
| Amazon Inspector: Topology Amazon Inspector Recommendation Generator | Generates Amazon Inspector data for the Amazon Inspector & Config Rules layer on the Topology dashboard. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| AWS Billing - Account Name | Populates an Account name lookup file, account_name.csv, so that the app dashboards can display friendly names for the account IDs in your billing reports.
|
This saved search runs automatically the first time that a user access one of the four dashboards that contain billing data. If you have a large amount of data, this search may take up to a minute to fully populate the lookup file with the friendly names that correspond to the account IDs in the reports. After the lookup generation is complete, the dashboard prompts you to reload the page to display your friendly account names. This search is not scheduled, so after it runs the first time the lookup is not updated again. If, in future months, your billing reports include additional accounts, you may want to rerun the saved search manually to capture the new friendly names for those accounts. |
| AWS: calculate data volume indexed | Calculates how much data volume the app and add-on have ingested daily. | Automatically enabled. No action required. Scheduled to run once daily at twenty minutes past midnight. |
| AWS Config - Tags | Extract user tags from config data. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| AWS Description - Tags | Extract user tags from description data. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Billing Alert: Account Total Cost | Billing alert template used for alerting user when the cost of a specific account reaches a threshold. | To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app. |
| Billing Alert: Service Total Cost | Billing alert templates used for alerting user when the cost of a specific service reaches a threshold. | To use this alert, first modify the search to include a service name, then enable the alert on the Alerts page in the app. |
| Billing Alert: Subaccount Service Total Cost | Billing alert templates used for alerting user when the cost of a specific service for a subaccount reaches a threshold. | To use this alert, first modify the search to include your billing account ID and a service name, then enable this alert on the Alerts page in the app. |
| Billing Alert: Subaccount Total Cost | Billing alert templates used for alerting user when the cost of a specific subaccount reaches a threshold. | To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app. |
| Billing: Detailed Reports List | Used to reduce the loading time of the "Select Billing Tags" window on the Configure dashboard. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at 10pm. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Billing: Topology Billing Metric Generator | Generates billing data for Billing layer on the Topology dashboard. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudTrail Alert: IAM: Create/Delete Roles | CloudTrail alert triggered by creation or deletion of roles in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Access Keys | CloudTrail alert triggered by creation, deletion, or update of access keys in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Groups | CloudTrail alert triggered by creation, deletion, or update of groups in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Users | CloudTrail alert triggered by creation, deletion, or update of users in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Group Membership Updates | CloudTrail alert triggered by group membership changes in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions | CloudTrail alert triggered by reboot, stop, or termination actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Instances: Run/Start Actions | CloudTrail alert triggered by run or start actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs | CloudTrail alert triggered by creation, deletion, or importation of Key Pairs in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Security Groups: Create/Delete Groups | CloudTrail alert triggered by creation or deletion of security groups in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Unauthorized Actions | CloudTrail alert triggered by any unauthorized actions in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete VPC | CloudTrail alert triggered by the creation or deletion of VPCs in AWS. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete/Attach Network Interfaces | CloudTrail alert triggered by creation, deletion, or attachment of network interfaces in VPCs. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete/Replace Network ACLs | CloudTrail alert triggered by creation, deletion, or replacement of network ACLs in VPCs. | To use this alert, enable this alert on the Alerts page in the app. |
| Config Rules Alert: New Non-Compliant Resource | Sends an alert when a new non-compliant resource is found by Config Rules during the previous day. | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail EventName Generator | Extracts the eventnames from CloudTrail. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology CPU Metric Generator | Gets past day's average value for CPU Percentage from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and CPU Utilization layer. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Disk IO Metric Generator | Gets past day's average value for Disk IO Operation Count from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Network Traffic Metric Generator | Gets past day's average value for Network IO Size from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Volume IO Metric Generator | Gets past day's average value for Volume IO Operation Count from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Volume Traffic Metric Generator | Gets past day's average value for Volume IO Size from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Config: Topology Data Generator | Collects data from AWS Config required to render the Topology dashboard. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Config Rules: Topology Config Rules Generator | Generates Config Rules data for the Amazon Inspector & Config Rules layer on the Topology dashboard. | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Machine Learning Recommendation | This saved search runs every day to generate Recommendations on the Topology dashboard. | Automatically enabled. No action required. Scheduled to run every night at 9pm. Splunk recommends that you not run this search manually. |
Last modified on 19 May, 2016
|
PREVIOUS Share data in the Splunk App for AWS |
NEXT Lookups for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.2.0, 4.2.1
Feedback submitted, thanks!