Troubleshoot the Splunk App for AWS
Advanced settings
Depending on where you have deployed the app, you may have access to advanced settings.
If you are using the Splunk App for AWS on an on-premises instance of Splunk Enterprise or on a Splunk Cloud instance with a URL of the pattern https://prd-*.cloud.splunk.com, you can access more settings by editing the Splunk Add-on for Amazon Web Services data inputs directly. For details, see "Configure inputs for the Splunk Add-on for AWS" in the Splunk Add-on for Amazon Web Services manual, part of the Supported Add-ons documentation.
If you are using the Splunk App for AWS on a Splunk Cloud instance with a URL of the pattern https://*.splunkcloud.com, you cannot access these settings.
Topology dashboard shows no data
The topology dashboard requires data from the saved search called Config: Topology Data Generator, which you can find in the app under Search > Reports. This search runs every twenty minutes and helps populate your Topology dashboard. If you configure your AWS Config input through the app, this saved search is automatically enabled and scheduled. If, however, you configure your AWS Config input through the add-on instead, you need to manually enable and schedule the saved search.
Accessing logs
You can access internal log data for help with troubleshooting by searching by source type.
| Data source | Source type |
|---|---|
Logs from aws_cloudtrail.log.
|
aws:cloudtrail:log
|
Logs from aws_cloudwatch.log.
|
aws:cloudwatch:log
|
Logs from Splunk_TA_aws_aws_cloudwatch_logs.log.
|
aws:cloudwatchlogs:log
|
Logs from aws_config.log.
|
aws:config:log
|
Logs from Splunk_TA_aws_aws_description.log.
|
aws:description:log
|
Logs from aws_billing.log.
|
aws:billing:log
|
Logs from aws_s3.log.
|
aws:s3:log
|
Logs from Splunk_TA_aws-RestEndpoints*.log, populated by REST API handlers called when setting up the add-on or data input.
|
aws:restendpoints:log
|
Logs from proxy_conf.log, the proxy handler used in all AWS data inputs.
|
aws:proxy-conf:log
|
Logs from s3util.log, populated by the S3, CloudWatch, and SQS connectors.
|
aws:s3util:log
|
Logs from regex_dimensions.log, a regex dimension matcher used in CloudWatch.
|
aws:regex-dimensions:log
|
Logs from ta_util, a shared utilities library.
|
aws:ta:util
|
There are four additional logs that do not have source types associated with them at this time: Splunk_TA_aws_ta_util_conf_manager.log, Splunk_TA_aws_ta_util.log, Splunk_TA_aws_ta_util_rest.log, Splunk_TA_aws_ta_util_scheduler.log. These four logs support functionality for the description and CloudWatch Logs modular inputs implemented in the Splunk Add-on for AWS and can be found in $SPLUNK_HOME/var/log/splunk.
S3 input performance issues
You can configure multiple S3 inputs for a single S3 bucket to improve performance. The Splunk platform dedicates one process for each data input, so provided that your system has sufficient processing power, performance will improve with multiple inputs.
Note: Be sure that multiple inputs do not collect the same S3 folder and file data, to prevent indexing duplicate data.
| Add an S3 input for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.0.0
Download manual
Feedback submitted, thanks!