Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Sizing, performance, and cost considerations for the Splunk App for AWS

Before you set up the Splunk App for AWS and start ingesting data, review these guidelines for each input.

General

Input configuration screens require data transfer from AWS to populate the services, queues, and buckets available to your accounts. If your network to AWS is slow, these may take some time to load.

CloudTrail

Consideration Special notes
Sizing and Performance None
AWS Cost Using CloudTrail itself does not incur charges, but standard S3, SNS, and SQS charges apply.
See http://aws.amazon.com/pricing/services/.

Config

Consideration Special notes
Sizing and Performance None
AWS Cost Using Config incurs charges from AWS. See http://aws.amazon.com/config/pricing/.
In addition, standard S3, SNS, and SQS charges apply. See http://aws.amazon.com/pricing/services/.

CloudWatch

Consideration Special notes
Sizing and Performance The smaller the granularity you configure, the more events you collect.
Best practice: Configure a granularity that matches the precision that you require, setting a larger granularity value in cases when indexing fewer, less-granular events is acceptable. You can increase granularity temporarily when a problem is detected.
AWS Cost Using CloudWatch and making requests against the CloudWatch API incurs charges from AWS.
See http://aws.amazon.com/cloudwatch/pricing/

VPC Flow Logs

Consideration Special notes
Sizing and Performance AWS limits each account to 10 requests per second, each of which will return no more than 1 MB of data. This means the data ingestion and indexing rate will be no more than 10MB/s. The input can process up to 4K events per second in a single log stream.
Best practice: Use the add-on to configure the only_after parameter to limit the amount of historical data you collect, if volume is a concern.
AWS Cost Using CloudWatch Logs incurs charges from AWS. See http://aws.amazon.com/cloudwatch/pricing/
Transferring data out of CloudWatch Logs incurs charges from AWS. See http://aws.amazon.com/ec2/pricing/

S3

Consideration Special notes
Sizing and Performance AWS throttles S3 data collection at the bucket level, so expect some delay before all data arrives in your Splunk platform.
AWS Cost Using S3 incurs charges from AWS. See http://aws.amazon.com/s3/pricing/.

Billing

Consideration Special notes
Sizing and Performance None
AWS Cost Billing reports themselves do not incur charges, but standard S3 charges apply.
See http://aws.amazon.com/s3/pricing/.
Last modified on 28 January, 2016
Plan your deployment of the Splunk App for AWS   Configure your AWS services for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0, 4.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters