Splunk® App for AWS (Legacy)

User Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Filter dashboards by tags in the Splunk App for AWS

The Splunk App for AWS dashboards allow you to filter content by the tags you have defined in Amazon Web Services. Tags are custom metadata that you can use to identify and organize your AWS resources. Each of your resources can have up to ten tags, each of which consists of a key and an optional value. See the Reference section below for more information about defining tags in AWS.

Use the tags filter on a dashboard

To use the tags filter, navigate to any Splunk App for AWS dashboard that supports the filter, such as the Overview dashboard.

In the Tags fied, enter your search criteria for filtering AWS resources data based on tag values. The tags filter supports the following operators:

  • key=value
  • key!=value
  • key1=value1 AND key2=value2
  • key1=value1 OR key2!=value2


Some dashboards do not include a tags filter, often because the data in that dashboard is not relevant to tags.

Select tags for your Historical Detailed Billing and Capacity Planner dashboards

Both the Historical Detailed Billing and Capacity Planner dashboards rely on data from your Detailed billing reports with resources and tags. These reports can be very large, affecting the performance of your dashboards. For this reason, all custom tags are disabled by default.

A Splunk platform administrator can select the custom tags that should appear in your tag filters for these dashboards on the app's Configure tab. When you initially select tags and each time you change your selections, your Capacity Planner and Historical Detailed Billing dashboards will be unavailable while their underlying data models are rebuilt to reflect your tag selections. The time required for the data models to rebuild depends on the volume of your billing data.

You can check on the status of the data models by going to Settings > Data models and expanding the rows for the the Detailed Billing, Detailed Billing CUR, Instance Hour, Instance Hour CUR data models.

The tags that you select to use on these two dashboards are available both as standard filters at the top of the dashboard and in special "Group By" filters. In the Cost Analysis section of the Historical Detailed Bills dashboard, you have the options to filter your data by Service and Operation, and then further group the results by either the Product Name, Availability Zone, Operation, or any custom tags that you have selected. Similarly, on the Capacity Planner dashboard, you can group by Instance Type, Reservation, Availability Zone, or any custom tags you have selected.

Note: In the Tags drop-down menu, the app replaces any special characters in your tags with underscores and truncates tag names to the first 32 characters. When searching for a tag, modify your search to match.

Reference

For more information about how to create tags in AWS, see http://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html. You can also read the AWS documentation for specific services for more detailed information and best practices for how to apply tags to your resources.

For example, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html for information on tagging EC2 resources.

Last modified on 30 May, 2019
Overview of the dashboards in the Splunk App for AWS   Create anomaly detection rules

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters