Splunk® App for AWS (Legacy)

Installation and Configuration Manual

Acrobat logo Download manual as PDF

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). Click here for the latest version.
Acrobat logo Download topic as PDF

Add a CloudTrail input for the Splunk App for AWS

Create a CloudTrail input to gather data about management and change events in your AWS environment.

You can only configure one CloudTrail input per AWS Account Access Key ID, which you select by its corresponding friendly name. You can configure multiple CloudTrail inputs for the same AWS environment, provided each one is created with a different friendly name.

If you have multiple AWS Account IDs from which you want to gather CloudTrail data, Amazon Web Services recommends that you configure a single S3 bucket and SNS queue to collect them, but doing so alters the format of the SQS and CloudTrail messages produced. The Splunk App for AWS can parse these message formats if you configure an S3 input instead of a CloudTrail input and manually set the source type to aws:cloudtrail. An input configured this way is less performant than configuring a CloudTrail input, but this is Amazon Web Service's recommended configuration.


Before you can successfully configure a CloudTrail input, you need to:

1. Set up the CloudTrail service for all the regions that you want to track data in the Splunk App for AWS. If you have not already done this, see "Configure your AWS services for the Splunk App for AWS" in this manual.

2. Make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID that has the necessary permissions to gather this data. If you have not already done this, see "Configure your AWS permissions for the Splunk App for AWS" in this manual.

Add a new CloudTrail input

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudTrail box, click Set up.

3. Select the friendly name of the AWS Account that you want to use to collect CloudTrail data. If you have not yet configured the account you need, click Add New Account to configure one now.

4. Under SQS Configurations, select a Region for which you have enabled CloudTrail.

5. Click Select an SQS queue to view the SQS queue names for the region you have selected. If you do not see any, verify that you have completed all steps in the prerequisites. Do not configure multiple CloudTrail inputs pulling data from the same SQS queue. Having multiple inputs can cause conflicts when one input tries to delete an SQS message that another input is attempting to access and parse.

6. Select the queue name that is subscribed to the SNS topic for CloudTrail notifications for this region.

7. Click the + button to add another region.

8. Repeat steps 4 - 6 until you have configured SQS queues for all the regions where you have CloudTrail enabled in AWS.

9. Click Add to save and enable this data input.

When you create the data input, the Splunk App for AWS immediately begins collecting your CloudTrail data.

Edit or delete a CloudTrail input

You can view, edit, or delete your existing CloudTrail inputs from the CloudTrail Inputs screen.

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudTrail box, click the link that tells you how many inputs you currently have configured for CloudTrail.

3. The CloudTrail screen displays a list of CloudTrail inputs, organized by the account friendly name used to create the input.

4. From here, you can click the account names to open the individual inputs to edit them, or you can delete an input by clicking the trash can icon.

Last modified on 17 August, 2018
Add an AWS Config input for the Splunk App for AWS
Add a CloudWatch input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.0.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters