Splunk® App for AWS (Legacy)

User Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Overview of the dashboards in the Splunk App for AWS

The Splunk App for AWS offers a variety of dashboards to give you insight into your AWS data. As you navigate from one dashboard to another, the app retains your most recent filter selections for Account ID and region to facilitate easy browsing.

If you do not see data in a particular dashboard panel, check the source type of the panel for which data is missing. For example, if your Configuration Changes panel on the Overview dashboard shows zeroes, but you know changes have been made in your AWS environment, search sourcetype=aws:config:notification to check that data is coming in to your Splunk platform from that source type. If you do not see events, troubleshoot that input with a Splunk administrator.

Overviews

Dashboard Description Panel Source Type
Overview Gives a big picture overview of your AWS environment and status from different perspectives, including configuration changes, usage, security. If anything looks unusual, you can click a panel to drill down to a more detailed dashboard. Configuration Changes aws:config:notification
Notable CloudTrail Activity by Origin aws:cloudtrail
Compute Instances aws:description
Storage aws:description, aws:cloudwatch
Billing aws:cloudwatch, aws:billing
ELB aws:description, aws:cloudwatch
CloudFront aws:cloudfront:accesslogs
Usage Overview Summarizes the usage of AWS services such as EC2 and EBS. EC2 and EBS aws:description
ELB aws:description, aws:cloudwatch
Max CPU Utilization - Last 7 Days Top 5 aws:cloudwatch, aws:description
Min CPU Utilization - Last 7 Days Top 5 aws:cloudwatch, aws:description
Security Overview Displays the number of error events from different services. Drill down to more detailed dashboards from this overview. IAM Errors aws:cloudtrail
VPC Errors aws:cloudtrail
Security Group Errors aws:cloudtrail
Key Pair Errors aws:cloudtrail
Network ACL Errors aws:cloudtrail
Unauthorized Activity aws:cloudtrail
Authorized vs Unauthorized IAM Activity aws:cloudtrail
Authorized vs Unauthorized Activity by User aws:cloudtrail
Authorized vs Unauthorized Activity by Event Name aws:cloudtrail
Insights Overview Summarizes the numbers and trends of detected problems with resource usages as well as security and billing anomalies. Also lists detailed information of the last 100 anomalies detected if anomaly detection rules are defined in the Security Anomaly Insights and Billing Anomaly Insights dashboards. Insights - Yesterday aws:description, aws:cloudwatch
Anomaly - Yesterday aws:description, aws:cloudwatch, aws:cloudtrail
Anomaly - Last 100 by 12 a.m. aws:cloudwatch, aws:cloudtrail

Note: If you see a message indicating that the Notable CloudTrail Activity by Origin map cannot display, this is due to the fact that AWS does not provide a valid sourceIPAddress for data in the AWS region at this time.

Topology

Dashboard Description Panel Source Type
Topology Displays the topology of your AWS resources and how they relate to each other. See Topology dashboard reference for the Splunk App for AWS for more details. Topology aws:config
Relationships aws:config
Usage aws:cloudwatch
Activity aws:cloudtrail
VPC Flow aws:cloudwatchlogs:vpcflow
IAM aws:config
Billing aws:billing
Amazon Inspector and Config Rules aws:inspector, aws:config:rule

Timeline

Dashboard Description Panel Source Type
Timeline Chronologically display up to 200 historical events of specified services on a timeline. Timeline aws:description, aws:inspector, aws:cloudtrail, aws:config:rule, aws:config:notifications

Usage

Dashboard Description Panel Source Type
EC2 Instances Describes the usage of your EC2 instances.
Running EC2 Instances aws:description
In-Use Reserved EC2 Instances aws:description
Unused Reserved EC2 Instances aws:description
Running EC2 Instances by Category aws:description
Running EC2 Instances by Region aws:description
Running EC2 Instances by Type aws:description
Running EC2 Instances by Type Over Time aws:description
Running EC2 Instances by Region Over Time aws:description
EC2 Spot Instances Details aws:description
EC2 Reserved Instances aws:description
High Utilization EC2 Instances aws:cloudwatch, aws:description
Low Utilization EC2 Instances aws:cloudwatch, aws:description
Individual EC2 Instances Allows you to look up the detailed usage of specific EC2 instances.
EC2 Instance Details aws:description
Average CPU Utilization - Last 24h aws:cloudwatch
Total Network I/O - Last 24h aws:cloudwatch
Total Failed Status Checks - Last 24h aws:cloudwatch
Average CPU Utilization Over Time aws:cloudwatch
Total Network I/O Over Time aws:cloudwatch
Total Failed Status Checks Over Time aws:cloudwatch
EBS Volumes Describes the usage of EBS volumes. In-Use EBS Volumes aws:description
In-Use EBS Volume Size aws:description
EBS Snapshots Size aws:description
In-Use EBS Volumes by Type aws:description
EBS Volumes by Sizes aws:description
EBS Volumes by IOPS aws:description
Unused EBS Volumes aws:description
Non-Optimized EBS Volumes aws:description
EBS Volumes Without Recent (30 days) Snapshot aws:description
Standard EBS Volumes with IOPS > 95 - Last 7 Days aws:description, aws:cloudwatch
EBS Volumes with IOPS < 1 - Last 7 Days aws:description, aws:cloudwatch
Individual EBS Volumes Allows you to look up the detailed usage of specific EBS volumes. EBS Volume Details aws:description
Average IOPS - Last 24h aws:cloudwatch
Total Read/Write - Last 24h aws:cloudwatch
Average Queue Length - Last 24h aws:cloudwatch
Average IOPS Over Time aws:cloudwatch
Total Read/Write Over Time aws:cloudwatch
Average Queue Length Over Time aws:cloudwatch
ELB Instances Displays information about the ELBs in your environment. Total ELBs aws:description
Total Requests aws:cloudwatch
Unhealthy EC2 Instances aws:description
ELB Error Requests aws:cloudwatch
HTTP 4XX Responses aws:cloudwatch
HTTP 5XX Responses aws:cloudwatch
ELBs by Region aws:description
Requests by ELB aws:cloudwatch
Requests by HTTP Status Code aws:cloudwatch
Latency per ELB Over Time aws:cloudwatch
Requests per ELB Over Time aws:cloudwatch
Individual ELB Instances Allows you to look up detailed information about specific ELBs. Total Requests aws:cloudwatch
ELB Error Requests aws:cloudwatch
HTTP Error Requests aws:cloudwatch
Unhealthy EC2 Instances aws:description
ELB Details aws:cloudwatch
EC2 Instances aws:description
Latency Over Time aws:cloudwatch
Request Count Over Time aws:cloudwatch
HTTP Status Code Over Time aws:cloudwatch
Relational Database Service Displays RDS data from the CloudWatch service. RDS Instance Details aws:description, aws:cloudwatch
Average CPU Utilization aws:description, aws:cloudwatch
Average Freeable Memory aws:description, aws:cloudwatch
Average Free Storage Space aws:description, aws:cloudwatch
Average Write IOPS aws:description, aws:cloudwatch
Average Read Latency aws:description, aws:cloudwatch
Average Write Latency aws:description, aws:cloudwatch
Lambda Provides detailed metrics of functions run by the AWS Lambda compute service. Duration (ms) by Function aws:cloudwatch
Invocations by Function aws:cloudwatch
Errors by Function aws:cloudwatch
Throttles by Function aws:cloudwatch
GB-s by Function aws:cloudwatch
Duration (ms) by Function Over Time aws:cloudwatch
Invocations by Function Over Time aws:cloudwatch
Errors by Function Over Time aws:cloudwatch
Throttles by Function Over Time aws:cloudwatch
GB-s by Function Over Time aws:cloudwatch
API Gateway Lets you visually view metrics of APIs managed through your API Gateway.
Total Count by API aws:cloudwatch
Total Count by API Over Time aws:cloudwatch
Total Count by API aws:cloudwatch
Total Count by API Over Time aws:cloudwatch
Most Active Methods aws:cloudwatch
Slowest Methods aws:cloudwatch
Capacity Planner Allows you to analyze your usage to plan your capacity for upcoming months. Based on historical month data from Detailed billing reports with resources and tags. Total Instance Hours aws:billing
Percentage of On-Demand Hours aws:billing
Total Instance Cost aws:billing
Percentage of On-Demand Cost aws:billing
Instance Hours aws:billing
Reserved Instance Planner Helps you better plan your reserved instances by letting you view existing resources and providing optimal resource recommendations with estimated annual savings based on historical or predictive usage data. Reserved Instance Planner aws:billing, aws:description
Reserved Instance Inventory Displays usage statistics of reserved instances (RI) as well as current RI plans. RIs by Instance Type aws:description
RIs by Region aws:description
RIs by Offer Type aws:description
RI Plans aws:description
RI Plans to Expire Within One Month aws:description

Security

Dashboard Description Panel Source Type
Network ACLs Describes the Network ACL activity in your AWS environment, including error events, the number of Network ACLs, activity over time, and the detailed list of error activities. Network ACLs aws:description
Error Events aws:cloudtrail
Network ACL Actions aws:cloudtrail
Network ACL Activity Over Time aws:cloudtrail
Detailed Network ACLs Activity aws:cloudtrail
Network ACL Error Activity aws:cloudtrail
Security Groups Describes security group activity in your AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities. Security Groups aws:description
Security Group Rules aws:description
Error Events aws:cloudtrail
Security Group Actions aws:cloudtrail
Unused Security Groups aws:config
Security Group Activity Over Time aws:cloudtrail
Security Group Activity aws:cloudtrail
Authorize and Revoke Activity aws:cloudtrail
Security Group Error Activity aws:cloudtrail
IAM Activity Describes IAM activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities. Error Events aws:cloudtrail
Activity by User aws:cloudtrail
IAM Actions aws:cloudtrail
IAM Activity Over Time aws:cloudtrail
Authorized vs. Unauthorized Activity aws:cloudtrail
Detailed IAM Activity aws:cloudtrail
IAM Error Activity aws:cloudtrail
Key Pairs Activity Describes the key pair activity in your AWS environment, including error events, the number of in-use key pairs, which key pair is most used, activity over time, and the detailed list of error activities. In-Use Key Pairs aws:description
Error Events aws:cloudtrail
Key Pair Actions aws:cloudtrail
Key Pair Usage aws:description
Key Pair Activity Over Time aws:cloudtrail
Key Pair Activity aws:cloudtrail
Key Pair Error Activity aws:cloudtrail
S3 - Data Event Displays S3 event statistics Error Events aws:s3:accesslogs
Unauthorized Events aws:s3:accesslogs
Activities by User aws:s3:accesslogs
Events by UserAgent aws:s3:accesslogs
Events by UserName aws:s3:accesslogs
Events by BucketName aws:s3:accesslogs
Events Over Time aws:s3:accesslogs
Events by Origin aws:s3:accesslogs
Most Frequently Accessed Objects - Top 10 aws:s3:accesslogs
Most Recent Modifications - Latest 10 aws:s3:accesslogs
VPC Activity Describes VPC activity in your environment, including the error events, number of VPCs, activity over time, and the detailed list of error activities. VPCs aws:description
Error Events aws:cloudtrail
Network VPC Actions aws:cloudtrail
VPC Activity Over Time aws:cloudtrail
Detailed VPC Activity aws:cloudtrail
VPC Error Activity aws:cloudtrail
Resource Activity Shows the resource changes over time and the detailed change list. Changes Over Time aws:config:notification
Changes by Resource Type aws:config:notification
Resources aws:config:notification
User Activity Describes user activity in your AWS environment, including the number of active users, error/unauthorized activities, activity over time, and list of activities. You can also filter activities by ARN or username. Active Users aws:cloudtrail
Error Activities aws:cloudtrail
Unauthorized Activities aws:cloudtrail
User Activity by Event Name Over Time aws:cloudtrail
User Activity by User Name Over Time aws:cloudtrail
Most Recent User Activity Grouped by Event Name aws:cloudtrail
Event Details aws:cloudtrail
Geographic Source of Event(s) aws:cloudtrail
CloudFront - Traffic Analysis Traffic and error metrics about your CloudFront distribution. Total Requests aws:cloudfront:accesslogs
Error Requests aws:cloudfront:accesslogs
Total Request Traffic aws:cloudfront:accesslogs
Total Response Traffic aws:cloudfront:accesslogs
Cache Hit Ratio aws:cloudfront:accesslogs
Traffic Size by Location (Bytes) aws:cloudfront:accesslogs
Request Count by Location aws:cloudfront:accesslogs
HTTP Status aws:cloudfront:accesslogs
User Agents aws:cloudfront:accesslogs
CloudFront Edge Details aws:cloudfront:accesslogs
Top URLs aws:cloudfront:accesslogs
Top Request by Edge Location aws:cloudfront:accesslogs
Slowest Requests aws:cloudfront:accesslogs
Heaviest Traffic Requests aws:cloudfront:accesslogs
Latency Over Time aws:cloudfront:accesslogs
Traffic (MB) Over Time aws:cloudfront:accesslogs
ELB - Traffic Analysis Data from your ELB access logs. Total Entries aws:elb:accesslogs
Total ELBs aws:elb:accesslogs
Unique Clients aws:elb:accesslogs
Total Data Sent aws:elb:accesslogs
Total Data Received aws:elb:accesslogs
Traffic Size by Location (Bytes) aws:elb:accesslogs
Request Count by Location aws:elb:accesslogs
Error Entries aws:elb:accesslogs
Average Processing Time aws:elb:accesslogs
Top Error-Causing Requests aws:elb:accesslogs
Error Count aws:elb:accesslogs
Top Time-Consuming Requests aws:elb:accesslogs
Processing Time (ms) aws:elb:accesslogs
S3 - Traffic Analysis Data from your S3 access logs. Total Requests aws:s3:accesslogs
Error Requests aws:s3:accesslogs
Total Traffic aws:s3:accesslogs
Average Processing Time aws:s3:accesslogs
Traffic Size by Location (Bytes) aws:s3:accesslogs
Request Count by Location aws:s3:accesslogs
HTTP Status aws:s3:accesslogs
S3 Error Code aws:s3:accesslogs
Top User Agents aws:s3:accesslogs
Top Requests aws:s3:accesslogs
Request Count Over Time aws:s3:accesslogs
Top Error Requests aws:s3:accesslogs
Error Count Over Time aws:s3:accesslogs
VPC Flow Logs - Traffic Analysis Provides an overview of your network traffic. Monitored Interfaces aws:cloudwatchlogs:vpcflow
Traffic Protocols aws:cloudwatchlogs:vpcflow
All Traffic (GB) aws:cloudwatchlogs:vpcflow
Traffic Destinations aws:cloudwatchlogs:vpcflow
Traffic Sources aws:cloudwatchlogs:vpcflow
Traffic Over Time by Interface (Top 5) aws:cloudwatchlogs:vpcflow
Traffic Size by Protocol and Location aws:cloudwatchlogs:vpcflow
Top Destination Addresses aws:cloudwatchlogs:vpcflow
Top Destination Ports aws:cloudwatchlogs:vpcflow
Top Source Addresses aws:cloudwatchlogs:vpcflow
VPC Flow Logs - Security Analysis Provides an overview of your rejected network traffic. Accepted vs. Rejected Over Time (Bytes) aws:cloudwatchlogs:vpcflow
Accepted vs. Rejected Traffic by Location aws:cloudwatchlogs:vpcflow
Top Rejected Destination Ports aws:cloudwatchlogs:vpcflow
Top Rejected Source Addresses aws:cloudwatchlogs:vpcflow
Top 50 Rejected Address Pairs aws:cloudwatchlogs:vpcflow

Insights

Note: Splunk Light does not support the Insights dashboards, including the Insights Overview dashboard under the Overview menu. If you use Splunk Light, all Insight dashboard menus will be hidden from view.

Dashboard Description Panel Source Type
Config Rules Displays compliance status results based on the AWS Config rules that you have set up in your environment. Active Config Rules aws:config:rule
Non-Compliant Config Rules aws:config:rule
Non-Compliant Resources aws:config:rule
Compliant vs Non-Compliant Config Rules aws:config:rule
Compliant vs Non-Compliant Resources aws:config:rule
Non-Compliant Resources by Config Rules aws:config:rule
Active Config Rules Summary aws:config:rule
Non-Compliant Resource Details aws:config:rule
Non-Compliant Resources Over Time aws:config:rule
Amazon Inspector Displays results of your Amazon Inspector findings, which you can filter by assessment run and severity. From the Findings table on this dashboard, click on an EC2 instance name to jump directly to the Topology dashboard and view that EC2 instance in context. Completed Assessment Runs aws:inspector
Total Findings aws:inspector
High Severity aws:inspector
Medium Severity aws:inspector
Low Severity aws:inspector
Informational Severity aws:inspector
Findings aws:inspector
EC2 Insights Displays EC2 instances with potential problems. Note: At least four days worth of CloudWatch data for EC2 instances over the past seven days must be available for the dashboard to work. EC2 Insights aws:description, aws:cloudwatch
Elastic IP Insights Displays public IPs with problems and provides best practice recommendations. Elastic IP Insights aws:description
ELB Insights Displays load-balancing problems at different severity levels and provides best practice recommendations. Elastic Load Balancing Insights aws:description, aws:cloudwatch
EBS Insights Displays detected EBS-related anomalies at different severity levels and provides best practice recommendations. EBS Insights aws:description, aws:cloudwatch
AWS Personal Health Displays statuses of different types of services. Service Status aws:sqs
Security Group Insights Displays different severity levels of detected problems with the configuration and usage of security groups in your AWS environment. Security Group Insights aws:description
IAM Insights Displays different severity levels of detected problems with IAM authentication setup and management in your AWS environment. IAM Insights aws:description

Billing

Dashboard Description Panel Source Type
Budget Planner Helps you better plan budgets and control expenses by letting you set monthly budgets over a period of time and visually view all aspects of your budget information and track actual expenses against your budgets. Total Budget aws:billing
Monthly Budget aws:billing
Remaining Total Budget aws:billing
Budget Burndown aws:billing
Budget aws:billing
Month-over-month Budget aws:billing
Current Month Estimated Billing Projected AWS bill information based on your CloudWatch billing metrics.
Note that the Total Projected Cost -- This Month and Cost Projection Over Time panels rely on at least two data points before a projection can appear, thus these panels show "No results found" for the first few days of each new month.
Estimated Cost - Month to Date aws:cloudwatch
Total Projected Cost - This Month aws:cloudwatch
Estimated Cost by Account aws:cloudwatch
Estimated Cost by Service aws:cloudwatch
Month over Month Comparison - Daily Cost aws:cloudwatch
Cost Projection Over Time aws:cloudwatch
Estimated Cost by Account and Service - Month to Date aws:cloudwatch
Historical Monthly Bills Displays your monthly billing cost up to but excluding the current month. AWS continues to update the monthly billing report several days after the last day of a calendar month, so you may see some fluctuation in the most recent monthly charge during the first few days of a new month.
Note that the Cost by Region panel is not available in consolidated accounts and show incomplete costs in nonconsolidated accounts if your bills include items that do not have region information associated with them.
Cost by Account aws:billing
Cost by Service aws:billing
Cost by Region aws:billing
EC2 Cost by Instance Type aws:billing
EBS Cost by Usage Type aws:billing
Month over Month Comparison aws:billing
Cost by Account and Service aws:billing
Historical Detailed Bills Allows you to analyze your detailed billing history using your Detailed billing reports with resources and tags. Does not include data for the current month. Expect long load times for this dashboard due to the large amount of data in the Detailed billing report. Total Cost aws:billing
Cost Over Time aws:billing
Last modified on 18 August, 2017
Work with your data in the Splunk App for AWS   Filter dashboards by tags in the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters