Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Install the Splunk App for AWS on Splunk Enterprise

This topic covers how to install the Splunk App for AWS on a Splunk Enterprise on-premises deployment. Looking for Splunk Cloud instructions? See Install the Splunk App for AWS on Splunk Cloud.

If you are upgrading from a previous version:

Download the app and the add-on

The Splunk App for AWS relies on an add-on to handle the data input logic. You can download both the app and the add-on on Splunkbase.

  • Splunk App for AWS version 4.1.0. If you are migrating from an unsupported installation of the Splunk App for AWS (version 3.X or earlier), install the 4.1.0 version as a new app. Version 4.X has a new folder name, so it does not replace 3.X or older versions in your environment.
  • Splunk Add-on for Amazon Web Services version 3.0.0 or later. If you are migrating from an existing installation of the Splunk Add-on for AWS, you can upgrade the add-on in place. The new version of the add-on is backwards compatible with older versions.

Install on a single instance

If your Splunk Enterprise deployment is a single instance, install both the app and the add-on to your single instance. You can use the Install app from file feature in the Manage Apps page in Splunk Web to install both packages, or install manually using the command line.

After you restart Splunk Enterprise, you may be prompted to set up the add-on. Choose Set up later because you will perform your setup through the app rather than the add-on.

If you are migrating from a 3.X or older version, go next to Migrate from an unsupported version of the Splunk App for AWS in the version 4.0.0 documentation. Otherwise, proceed to Add AWS accounts for the Splunk App for AWS.

Install on a distributed deployment

If your Splunk Enterprise deployment is distributed, follow these steps.

  1. Install both the app and add-on to your search heads.
  2. Turn off add-on visibility on your search heads.
  3. Install the add-on to a heavy forwarder.
  4. (Optional) Run the remote target command to connect your forwarder to your search heads. This step supports easy app configuration from the search head.


Deploy the app and the add-on to your search heads

If you are deploying to one or more individual search heads, follow your preferred method of deploying both the app and the add-on. You can:

  • follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • install manually using the command line.
  • use a deployment server to deploy the unconfigured packages to your search heads. Do not configure the app or add-on prior to deploying it.

If you are deploying to a search head cluster:

1. Make the following changes to the add-on package to avoid validation errors:

  • Remove the eventgen.conf files and all files in the samples folder.
  • Remove the default/inputs.conf file.

2. Install the app and the add-on using the deployer. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual in the Splunk Enterprise documentation.

Turn off visibility for the add-on on your search heads

After you have deployed the app and the add-on to your search heads, change the visibility setting for the add-on on each search head to make it not visible. This step helps prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.

1. Go to Apps > Manage Apps.

2. Find the Splunk Add-on for AWS, with the folder name Splunk_TA_aws, in the list, and click Edit properties.

3. Under Visible, click the radio button next to No.

4. Click Save.

5. Repeat these steps on all search heads.

Deploy the add-on to a heavy forwarder

Follow your preferred method of deploying the Splunk Add-on for Amazon Web Services to one or more heavy forwarders. You can:

  • follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • install manually using the command line.
  • use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

Note: The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python.

Run the remote target command to connect your search head and forwarder (optional)

The Splunk App for AWS offers the ability to manage your configuration and inputs in the app on your search heads rather than through the add-on on your forwarder. This means that, after you install all the components and perform the steps in this section, you do not need to manage any configurations from your forwarder. Instead, you can configure everything from the search head and the Splunk platform pushes all your configuration parameters to your forwarder. No AWS credential or configuration information is stored on the search heads. The forwarder receives the configuration information and performs the data collection and parsing as it normally would.

This procedure is optional. If you do not choose to use it, perform all configuration activity on a heavy forwarder and do not use the Configure tab in the app on your search heads. Using the Configure tab in the app without running this command causes any configurations made there to be stored on your search head, leading to potential conflicts or duplicated inputs. If you do not run the remote target command and you configure your inputs on a heavy forwarder, you need to manually enable and schedule the saved search called Config: Topology Data Generator on your search heads, which you can find in the app under Search > Reports. This search runs every twenty minutes and helps populate your Topology dashboard.

To use this remote target command, port 8089 of your heavy forwarder must be accessible from your search head. If you have proxies, firewalls, or security group inbound settings blocking this access, adjust those settings before you proceed or do not use this procedure.

To connect your search head and forwarder with the remote target command, perform the following steps on each search head, even if you have a search head cluster. If you are on Windows, replace all forward slashes with backslashes.

1. Open terminal and run

cd $SPLUNK_HOME/bin 

2. To set your forwarder as the remote target of the search head, run

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -set -host <search_head_ip> -port <search_head_mgmt_port> -username <username> -password <password> -t_host <target_forwarder_ip> -t_username <target_username> -t_password <target_password> -t_port <target_mgmt_port>

3. To show the current target, run

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -get -username <username> -password <password>

If a remote target exists, the command returns a brief report. If the remote target cannot be found, for example because the forwarder did not have the add-on installed or the add-on was in an unsupported version, the command returns an error.

Example:

$ cd $SPLUNK_HOME/bin
$ ./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -set -host 10.66.130.123 -port 8089 -username shuser -password shpassword -t_host 10.66.130.200 -t_username fwduser -t_password fwdpassword -t_port 8089
$ ./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -get -username shuser -password shpassword
============================
10.66.130.200
============================
username=fwduser
eai:appName=splunk_app_aws
eai:userName=nobody
port=8089
password=fwdpassword
disabled=0
$

If, instead of a result statement like the one shown above, you see a "connection refused" error, check that your heavy forwarder is running and try again. If you see a "connection timed out" error, verify that the target port is accessible.

If you need to remove the remote target configuration at any time, you can run a removal command from the $SPUNK_HOME/bin directory on each search head.

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -remove -username <username> -password <password> -t_host <target_forwarder_ip>

Migrate your data from a previous version

If you are migrating from an unsupported version of the Splunk App for AWS (3.X or earlier), see Migrate from an unsupported version of the Splunk App for AWS in the version 4.0.0 documentation.

If you are upgrading from a previous version, see Upgrade guide for the Splunk App for AWS in the Release Notes if you are upgrading from the most recent version.

Last modified on 03 June, 2016
Install the Splunk App for AWS on Splunk Cloud   Add AWS accounts for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters