Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Add a CloudWatch input for the Splunk App for AWS

Create a CloudWatch input to gather performance and billing metrics from the CloudWatch service.

Prerequisites

Before you can successfully configure a CloudWatch input, you need to make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID that has the necessary permissions to gather this data. If you have not already done this, see Configure your AWS permissions for the Splunk App for AWS in this manual.

Add a new CloudWatch input

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudWatch box, click New Input.

3. Select the friendly name of the AWS Account that you want to use to collect CloudWatch data. If you have not yet configured the account you need, click Add New Account to configure one now.

4. Under Regions, select Custom if you want to limit data collection with this input to certain regions. Otherwise, leave All selected.

Note: Selecting all regions may greatly increase the amount of data you collect, incurring charges in AWS and indexing volume. Select only the regions that you need.

5. Under Services, select All, Custom, or None for each service name listed. If you were expecting to see other services which are not listed, check that those services are enabled in the regions you have selected, and that the account you are using has permissions to list all the services. For example, you can only collect Billing metrics if the Virginia region is enabled and you have enabled billing alerts in the Billing and Cost Management console.

Note: Selecting All for all the services listed may greatly increase the amount of data you collect, incurring charges in AWS and indexing volume. Select only the services that you need, and customize the metrics and dimensions that you collect to avoid charges for collecting data that you do not need.

6. If you selected Custom for any of the services, you can remove individual Metrics to reduce the data that you collect.

7. Click in the Dimensions field to open a drop-down menu of available dimensions to further specify what data the app should collect. By default, the input collects data for all available dimensions. The dimensions field also supports regular expressions. For example:

  • For EBS, you can specify that only the metrics for Volume IDs vol-b8f600b6 and vol-692f6d61 should be collected by selecting those from the drop down menu.
  • For SQS, you can collect only the metrics for Queue Names that start with "splunk" and end with "_current" by entering splunk.*_current\s.

8. (Optional) Open the Advanced Settings.

9. (Optional) Configure a Granularity for your input between 1 minute and 360 minutes (6 hours). The granularity is the sampling period for the data. The smaller your granularity, the more precise your metrics data becomes. Configuring a small granularity is useful when you want to do precise analysis of metrics and you are not concerned about limiting your data volume. Configure a larger granularity when a broader view is acceptable or you want to limit the amount of data you collect from AWS.

Note: If you configure a granularity that is smaller than the minimum sampling period allowed by AWS for a particular metric, your granularity configuration does not override the AWS limit. The app attempts to collect metric data at the granularity you specify even if AWS does not support that granularity, resulting in your indexed data being labeled with an incorrect granularity. This has no affect on app dashboards, which are configured to interpret your raw data correctly.

10. (Optional) Configure an Interval for your input between 1 minute and 360 minutes (6 hours). The interval is how often the app should poll CloudWatch for new data.

11. (Optional) Configure a custom Index.

12. Click Add to save and enable this data input.

When you create the data input, the Splunk App for AWS immediately begins collecting your CloudWatch data. If you did not adjust the advanced settings, the app collects data using a granularity of five minutes and polls for new data every hour.

Edit or delete a CloudWatch input

You can view, edit, or delete your existing CloudWatch inputs from the CloudWatch Inputs screen.

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudWatch box, click the link that tells you how many inputs you currently have configured for CloudWatch.

3. The CloudWatch Inputs screen displays a list of CloudWatch inputs, organized by the name auto-assigned to the input.

4. From here, you can click the names to open the individual inputs to edit them, or you can delete an input by clicking the trash can icon.

Last modified on 30 March, 2016
Add a CloudTrail input for the Splunk App for AWS   Add a VPC Flow Logs input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0, 4.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters