Splunk® App for AWS (Legacy)

Installation and Configuration Manual

Acrobat logo Download manual as PDF

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). Click here for the latest version.
Acrobat logo Download topic as PDF

Troubleshoot the Splunk App for AWS

Advanced settings

Depending on where you have deployed the app, you may have access to advanced settings.

If you are using the Splunk App for AWS on an on-premises instance of Splunk Enterprise or on a Splunk Cloud instance with a URL of the pattern https://prd-*.cloud.splunk.com, you can access more settings by editing the Splunk Add-on for Amazon Web Services data inputs directly. For details, see "Configure inputs for the Splunk Add-on for AWS" in the Splunk Add-on for Amazon Web Services manual, part of the Supported Add-ons documentation.

If you are using the Splunk App for AWS on a Splunk Cloud instance with a URL of the pattern https://*.splunkcloud.com, you cannot access these settings.

Topology dashboard shows no data

The topology dashboard requires data from the saved search called Config: Topology Data Generator, which you can find in the app under Search > Reports. This search runs every twenty minutes and helps populate your Topology dashboard. If you configure your AWS Config input through the app, this saved search is automatically enabled and scheduled. If, however, you configure your AWS Config input through the add-on instead, you need to manually enable and schedule the saved search.

Accessing logs

You can access internal log data for help with troubleshooting by searching by source type.

Data source Source type
Logs from aws_cloudtrail.log. aws:cloudtrail:log
Logs from aws_cloudwatch.log. aws:cloudwatch:log
Logs from Splunk_TA_aws_aws_cloudwatch_logs.log. aws:cloudwatchlogs:log
Logs from aws_config.log. aws:config:log
Logs from Splunk_TA_aws_aws_description.log. aws:description:log
Logs from aws_billing.log. aws:billing:log
Logs from aws_s3.log. aws:s3:log
Logs from Splunk_TA_aws-RestEndpoints*.log, populated by REST API handlers called when setting up the add-on or data input. aws:restendpoints:log
Logs from proxy_conf.log, the proxy handler used in all AWS data inputs. aws:proxy-conf:log
Logs from s3util.log, populated by the S3, CloudWatch, and SQS connectors. aws:s3util:log
Logs from regex_dimensions.log, a regex dimension matcher used in CloudWatch. aws:regex-dimensions:log
Logs from ta_util, a shared utilities library. aws:ta:util

There are four additional logs that do not have source types associated with them at this time: Splunk_TA_aws_ta_util_conf_manager.log, Splunk_TA_aws_ta_util.log, Splunk_TA_aws_ta_util_rest.log, Splunk_TA_aws_ta_util_scheduler.log. These four logs support functionality for the description and CloudWatch Logs modular inputs implemented in the Splunk Add-on for AWS and can be found in $SPLUNK_HOME/var/log/splunk.

S3 input performance issues

You can configure multiple S3 inputs for a single S3 bucket to improve performance. The Splunk platform dedicates one process for each data input, so provided that your system has sufficient processing power, performance will improve with multiple inputs.

Note: Be sure that multiple inputs do not collect the same S3 folder and file data, to prevent indexing duplicate data.

Last modified on 14 January, 2016
Add an S3 input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.0.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters