Migrate from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports
Dashboards of Splunk App for AWS are packaged and available in Splunk App for Content Packs and Splunk App for AWS Security Dashboards. Based on the use cases of the dashboards, these dashboards have been packaged in the following two Apps:
- Content Pack for AWS Dashboards and Reports (packaged in Splunk App for Content Packs) - Contains the Dashboards and Knowledge objects related to IT Monitoring. For more details, see Dashboard reference for the Content Pack for Amazon Web Services Dashboards and Reports.
- Splunk App for AWS Security Dashboards - Contains the Dashboards and Knowledge objects for Security use cases. For more details, see Overview of the dashboards in the Splunk App for AWS Security Dashboards.
Based on the primary use case that you want Splunk App for AWS to enable, you may want to use one or both of the above-mentioned Apps.
On July 15, 2022, the Splunk App for AWS reached its end of life. Splunk no longer maintains or develops this product. The functionality in this app migrated to the Content Pack for Amazon Web Services Dashboards and Reports.
If you are currently using the Splunk App for AWS, your deployment might look like the following image:
Product | Data collection node (forwarder) |
Indexer | Search head |
---|---|---|---|
Splunk Add-on for AWS | ✓ | ✓ | ✓ |
Splunk App for AWS | ✓ |
To review dashboards included with the Content Pack for Amazon Web Services Dashboards and Reports before you migrate, see Dashboard reference for the Content Pack for Amazon Web Services Dashboards and Reports.
Changes in Splunk Add-on for Amazon Web Services
Splunk Add-on for AWS has deprecated the usage of the aws:description
source type and currently supports the use of the aws:metadata
source type to get data in for versions 6.0.0 or later. For more information, see the documentation about the different source types that Splunk Add-on for AWS supports in Source types for the Splunk Add-on for AWS.
Migration steps for cloud environments
For migration on Cloud, file a ticket on the Splunk Support Portal, in the Support and Services section. Splunk Cloud TechOps will assist you with migration from Splunk App for AWS to Content Pack for AWS Dashboards and Reports.
Update configuration and access dashboards for IT Monitoring use case
If you are ingesting the AWS Metadata data in custom indexes other than the default indexes used by Splunk App for AWS, then perform the following steps after your stack is migrated from Splunk App for AWS to Splunk App for Content Packs (including the Content Pack for AWS Dashboards and Reports):
- Open ITE work or IT Service Intelligence
- Navigate to Settings > Advanced Search
- Click on Search macros
- Select AWS Dashboards and Reports from the App drop-down
- Search for the macro in the third column of the table in the Search bar
- Copy the definition with the custom indexes value
- Search for the macro listed in the fourth column of the table in the Search bar
- Update the definition with the copied custom indexes value.
Type of data ingested from Splunk Add-on for AWS in custom indexes for versions earlier than 6.0.0 |
Type of data ingested from Splunk Add-on for AWS in custom indexes for version 6.0.0 or later |
Macro present in Splunk App for AWS | Corresponding macro to be configured in AWS Dashboards and Reports Content Pack for custom indexes |
Example value for macro |
---|---|---|---|---|
Description data | Metadata data | aws-description-index | aws-metadata-index | index = custom_index1 OR index = custom_index2 |
Update configuration and access dashboards for Security use case
If you are ingesting the AWS Metadata data in custom indexes other than the default indexes used by Splunk App for AWS, then perform the following steps after your stack is migrated from Splunk App for AWS to Splunk App for AWS Security Dashboards:
- Open Splunk App for AWS Security Dashboards
- Navigate to Settings > Advanced Search
- Click on Search macros
- Select AWS Dashboards and Reports from the App drop-down
- Search for the macro in the third column of the table in the Search bar
- Copy the definition with the custom indexes value
- Search for the macro listed in the fourth column of the table in the Search bar
- Update the definition with the copied custom indexes value.
Type of data ingested from Splunk Add-on for AWS in custom indexes for versions earlier than 6.0.0 |
Type of data ingested from Splunk Add-on for AWS in custom indexes for version 6.0.0 or later |
Macro present in Splunk App for AWS | Corresponding macro to be configured in Splunk App for AWS Security Dashboards for custom indexes |
Example value for macro |
---|---|---|---|---|
Description data | Metadata data | aws-description-index | aws-metadata-index | index = custom_index1 OR index = custom_index2 |
After updating the definition in the procedure above, run AWS Security Addon Synchronization
SavedSearch:
- Navigate to Settings > Searches, Reports, and Alerts
- Search
AWS Security Addon Synchronization
SavedSearch - Click on Run from the Actions tab
- Accelerate the data models present in Splunk App for AWS Security Dashboards as per the use case.
Migration steps for on-premises standalone or distributed environments
If you're using an on-prem environment, you can perform the migration from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports yourself.
Before migration
Before migrating to Content Pack for AWS Dashboards and Reports, make sure to follow the steps below in order to make a backup of your custom configurations and lookups.
- Make a backup of the following directories in the splunk_app_aws package present in the
$SPLUNK_HOME/etc/apps
on each search head: /local
directory which contains all the local configurations of the conf files/lookups
directory which contains the CSV lookups- Make a backup of the KV Store lookups present in the app.
- Identify the KV Store captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For a Single Search Head deployment, the only search head will be KV store captain:
$SPLUNK_HOME/bin/splunk show kvstore-status
- Login to the KVStore Captain search head and run the following command.
$SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_aws_kvstore_backup -appName splunk_app_aws
- Identify the latest backup in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
and copy thesplunk_app_aws_kvstore_backup.tar.gz
backup file to $SPLUNK_HOME/tmp. This archive file is required to restore the App KV Store lookup data during migration.
In Splunk App for Content Packs version 1.7.0 and later, the use of aws:description
sourcetype in AWS Dashboards and Reports Content Pack is deprecated because Splunk App for Content Packs now supports the aws:metadata
sourcetype. See the Deployment requirements table in "About the Content Pack for Amazon Web Services Dashboards and Reports" to ensure the correct version of the content pack, ITSI, IT Essentials Work, and the Splunk Add-on for AWS.
Migrate from Splunk App for AWS to Content Pack for AWS Dashboards and Reports
Follow the steps below to migrate from Splunk App for AWS to Content Pack for AWS Dashboards and Reports. Only perform this migration procedure after you've completed the prerequisites in the "Before migration" sub-section to back up your existing lookups and custom configurations.
- Perform the following steps on each search head present in your deployment to disable the Splunk App for AWS
- Create an app.conf file in your local directory if it is not present, then navigate to
{SPLUNK_HOME}/etc/apps/splunk_app_aws/local/app.conf
and edit the "state" property of "install" stanza as shown below:
[install] state = disabled
- Restart the instance:
$SPLUNK_HOME/bin/splunk restart
- Install IT Service Intelligence (ITSI) or IT Essentials Work on the same search head with AWS data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
- Install Splunk IT Service Intelligence on a single instance
- Install Splunk IT Service intelligence in a distributed environment
- Install IT Service Intelligence in a search head cluster environment
- Install IT Essentials Work
- Install the Splunk App for Content Packs according to your type of deployment as per the deployment requirements:
After you've completed the previous steps, the deployment looks like the following image:
Product | Data collection node (forwarder) | Indexer | Search head |
---|---|---|---|
Splunk Add-on for AWS | ✓ | ✓ | ✓ |
Splunk App for AWS | Disabled | ||
ITSI or IT Essentials Work | ✓ | ||
Splunk App for Content Packs | ✓ |
After migration
After migration, perform the following procedure:
- Restore the backup of the KV Store lookup.
- Identify the KV Store captain from different Search Heads. (Perform this step if the you are using Search Head Cluster environment). For Single Search Head Deployment, the only search head will be KV store captain:
$SPLUNK_HOME/bin/splunk show kvstore-status
- If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where KVStore backup was taken as part of the "Before migration" sub-section (Perform this step if the you are using Search Head Cluster environment):
scp /path_of_splunk_app_aws_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
- Login to KV Store Search Head captain instance and update the owner of the backup tar file:
chown splunk:splunk $SPLUNK_HOME/tmp/splunk_app_aws_kvstore_backup.tar.gz
- On your current KV Store captain, untar the backup tar file.
tar -xzvf $SPLUNK_HOME/tmp/splunk_app_aws_kvstore_backup.tar.gz
- Rename the folder:
mv $SPLUNK_HOME/tmp/splunk_app_aws $SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards
- Tar the upgraded folder name:
tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-aws-dashboards
- Move the
$SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz
file in$SPLUNK_HOME/var/lib/splunk/kvstorebackup
. - Restore the backup:
$SPLUNK_HOME/bin/splunk restore kvstore -archiveName DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-aws-dashboards
- Perform the following steps on each search head present in your deployment:
- Move the following directories from the App package to the DA-ITSI-CP-aws-dashboards folder that was backed up before you started migration:
/local
directory collected from the app which contains all the local configurations of the app/lookups
directory- Remove the
app.conf
file from local directory. - (Optional) Navigate to $SPLUNK_HOME/etc/apps/DA-ITSI-CP-aws-dashboards/local directory .
- If the
datamodels.conf
file is present, removeELB_Access_Log
andS3_Access_Log
stanzas and their content, if present - Restart the instance:
$SPLUNK_HOME/bin/splunk restart
Install and configure Content Pack for AWS Dashboards and Reports
Dashboards present in Splunk App for AWS are installed by default in Content Pack for AWS Dashboards and Reports. Follow the steps below to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by Content Pack:
- Make sure that the AWS data collected using the Splunk Add-on for AWS is searchable from the search head where you installed the Splunk App for Content Packs.
- Follow the steps to Install and configure the Content Pack for Amazon Web Services Dashboards and Reports.
Access the dashboards in the content pack
You can now access the dashboards from the content pack:
- Log into your Splunk platform instance and open ITSI or IT Essentials Work.
- Go to Dashboards on the main navigation bar and choose Dashboards from the drop-down menu.
- From the list of dashboards, those with the suffix - AWS are from the Content Pack for Amazon Web Services Dashboards and Reports. Select the dashboard title to open the dashboard.
Configure the Content Pack for Amazon Web Services Dashboards and Reports in a new environment
The second option for migrating from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports is to configure the content pack in a new environment.
To configure the content pack in a new environment, create a test environment and perform these steps to set up the Content Pack for Amazon Web Services Dashboards and Reports:
- After installing the Splunk App for Content Packs, install the content pack in your test environment.
- After you complete testing the content pack in your test environment, install the content pack in your production environment.
To learn how to install the content pack, see Install and configure the Content Pack for Amazon Web Services Dashboards and Reports.
Install and configure the Content Pack for Amazon Web Services Dashboards and Reports | Use the Content Pack for Amazon Web Services Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Amazon Web Services Dashboards and Reports: 1.5.0
Feedback submitted, thanks!