Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Saved searches for the Splunk App for AWS

The Splunk App for AWS includes the following saved searches.

Name Purpose Accelerated Action required
AWS Billing - Account Name Accelerates Billing Account ID to friendly name mapping. Yes Automatically enabled, no action required.
AWS Billing - Tags Extract user tags from billing data. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
AWS Billing Metadata Extract all sub account ids from billing data. Yes Automatically enabled, no action required.
AWS Config - Tags Extract user tags from config data. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
AWS Description - Tags Extract user tags from description data. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Billing Alert: Account Total Cost Billing alert template used for alerting user when the cost of a specific account reaches a threshold. No To use this alert, first modify the search to include your billing account ID, then enable and schedule this report on the Reports page in the app.
Billing Alert: Service Total Cost Billing alert templates used for alerting user when the cost of a specific service reaches a threshold. No To use this alert, first modify the search to include a service name, then enable and schedule this report on the Reports page in the app.
Billing Alert: Subaccount Service Total Cost Billing alert templates used for alerting user when the cost of a specific service for a subaccount reaches a threshold. No To use this alert, first modify the search to include your billing account ID and a service name, then enable and schedule this report on the Reports page in the app.
Billing Alert: Subaccount Total Cost Billing alert templates used for alerting user when the cost of a specific subaccount reaches a threshold. No To use this alert, first modify the search to include your billing account ID, then enable and schedule this report on the Reports page in the app.
CloudTrail Alert: IAM: Create/Delete Roles CloudTrail alert triggered by creation or deletion of roles in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Access Keys CloudTrail alert triggered by creation, deletion, or update of access keys in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Groups CloudTrail alert triggered by creation, deletion, or update of groups in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Users CloudTrail alert triggered by creation, deletion, or update of users in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: IAM: Group Membership Updates CloudTrail alert triggered by group membership changes in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions CloudTrail alert triggered by reboot, stop, or termination actions in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: Instances: Run/Start Actions CloudTrail alert triggered by run or start actions in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs CloudTrail alert triggered by creation, deletion, or importation of Key Pairs in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: Security Groups: Create/Delete Groups CloudTrail alert triggered by creation or deletion of security groups in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: Unauthorized Actions CloudTrail alert triggered by any unauthorized actions in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: VPC: Create/Delete VPC CloudTrail alert triggered by the creation or deletion of VPCs in AWS. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: VPC: Create/Delete/Attach Network Interfaces CloudTrail alert triggered by creation, deletion, or attachment of network interfaces in VPCs. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail Alert: VPC: Create/Delete/Replace Network ACLs CloudTrail alert triggered by creation, deletion, or replacement of network ACLs in VPCs. No To use this alert, enable and schedule this report on the Reports page in the app.
CloudTrail EventName Generator Extracts the eventnames from CloudTrail. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology CPU Metric Generator Gets past day's average value for CPU Percentage from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and CPU Utilization layer. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Disk IO Metric Generator Gets past day's average value for Disk IO Operation Count from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Network Traffic Metric Generator Gets past day's average value for Network IO Size from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume IO Metric Generator Gets past day's average value for Volume IO Operation Count from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume Traffic Metric Generator Gets past day's average value for Volume IO Size from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology Data Generator Collects data from AWS Config required to render the Topology dashboard. No Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Last modified on 26 February, 2016
Share data in the Splunk App for AWS   Lookups for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters