Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Configure dashboard warning messages and billing options

Use the Configure tab in the Splunk App for AWS to configure custom AWS billing tags, warning messages for dashboards, and the AWS billing type.

Use custom AWS billing tags

Manually enable custom tags from the AWS Billing & Cost Management console to filter and group billing data in the Capacity Planner and Historical Detailed Billing dashboards. By default, custom AWS billing tags are disabled in the Splunk App for AWS. For better performance, select only the tags you need.

For information about creating custom tags, see Using Cost Allocation Tags on the Amazon website.

To select tags to filter and group data, follow these steps.

  1. From the Splunk App for Infrastructure, select the Configure tab.
  2. Under Billing, click Select Billing Tags.
  3. If you created custom tags in the AWS Billing & Cost Management console, they will appear in the pop-up window. Select each tag you want to use in the Capacity Planner and Historical Detailed Billing dashboards.
  4. When you are done, click Save.

For more information about using custom tags in the Splunk App for AWS, see Select tags for your Historical Detailed Billing and Capacity Planner dashboards in the User Manual.

Configure warning message settings for your dashboards

A warning message displays at the top of a dashboard when there is an error displaying an element of the dashboard.

For example, if you are trying to monitor AWS resources from a dashboard and have not yet configured a specific input that populates panels on that dashboard, a message will display indicating that some panels will not provide any information because you have not configured the required input. Similarly, if you have not scheduled a saved search that populates panels on the dashboard, a message displays indicating you have not scheduled the required saved search to start populating panels.

By default, warning messages for each dashboard tab are enabled. You can manage warning messages for these dashboard tabs:

  • Overview
  • Topology
  • Timeline
  • Usage
  • Security
  • Insights
  • Billing

You cannot manage message warnings for each dashboard under a specific tab. If you enable or disable warning messages for a dashboard tab, it will enable or disable warning messages for every dashboard under the dashboard tab.

Even when you disable warning messages for a dashboard tab, you can view warning messages for each panel that is not displaying data in each dashboard. To do so, click the warning icon in the top-right corner of the dashboard panel.

Follow these steps to manage warning messages for each dashboard tab.

  1. From the Splunk App for AWS, select the Configure tab.
  2. Under Warning message settings, select or deselect dashboard tabs to display or hide warning messages, respectively.

Specify the type of AWS billing data to monitor

If you use the consolidated billing feature in your AWS organization, Cost and Usage Reports are availably in only your master account. For more information, see AWS Cost and Usage Report on the Amazon website.

You can use either Detailed Billing Reports or Cost and Usage Reports (CUR-Hourly/Daily) to monitor AWS billing data in the Splunk App for AWS. You cannot use both reports at the same time. To use a report in the Splunk App for AWS, you must have already configured the input in the Splunk Add-on for Amazon Web Services. If you configured both Hourly and Daily CUR reports in the Splunk Add-on for Amazon Web Services, disable one so you don't receive duplicate data.

If you configured a Billing (Legacy) input and a Billing (Cost and Usage Report) input, the Splunk App for AWS will not display data from both inputs. Selecting a new billing report type overrides any local navigation files. The Splunk App for AWS populates these dashboards and panels with billing data according to only the billing report type you specify:

  • Budget Planner dashboard
  • Historical Monthly Bills dashboard
  • Historical Detailed Bills dashboard
  • Capacity Planner dashboard
  • Reserved Instance Planner dashboard
  • Reserved Instance Inventory (RI Utilization by Family in Last Month panel)
  • Topology dashboard (Billing layer)
  • Reserved Instance Planner Detail dashboard

Follow these steps to specify the billing report type.

  1. From the Splunk App for AWS, select the Configure tab.
  2. Under Select billing report type, select one of these options:
    Billing report type Source type Description
    Billing (Legacy) aws:billing Populates all billing dashboards and panels using Detailed Billing Reports. To learn more about this billing report type, see Configure Billing inputs for the Splunk Add-on for AWS.
    Billing (Cost and Usage Report) aws:billing:cur Populates all billing dashboards and panels using AWS CUR. The AWS CUR you use to monitor billing data in the app must have a Time granularity of Hourly or Daily. For more information about the time granularity of AWS CUR, see Creating an AWS Cost and Usage Report on the Amazon website.


    When you select this billing report type, you should have a CUR with at least one month of available data and a generated invoice. To learn more about this billing report type, see Configure Cost and Usage Report inputs for the Splunk Add-on for AWS.

Last modified on 03 February, 2020
Create indexes and schedule saved searches for the Splunk App for AWS   Upgrade the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 6.0.0, 6.0.1, 6.0.2, 6.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters