Splunk® App for AWS Security Dashboards

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for AWS Security Dashboards. For documentation on the most recent version, go to the latest release.

Create an optional custom index

Most configuration for the Splunk App for AWS Security Dashboards is handled in the add-on. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for AWS, see Installation overview for the Splunk Add-on for AWS in the Splunk Add-on for AWS manual.

By default, your AWS accounts and inputs data are stored in a predefined index named "summary." If you want to use a custom index, perform the following steps:

  1. Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual for information about creating an index.
  2. In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  3. In the Splunk Add-on for AWS, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
    1. Go to Settings > searches, reports, and alerts.
    2. In the Actions column, click Run for each saved search.
  4. In the Splunk App for AWS Security Dashboards, modify the aws-security-addon-account-index and aws-security-addon-input-index macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  5. In the Splunk App for AWS Security Dashboards, run the AWS Security Addon Synchronization saved search to sync the macros.
Last modified on 28 February, 2022
Create indexes and schedule saved searches   Migrate from Splunk App for AWS to Splunk App for AWS Security Dashboards

This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters