On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy).
For documentation on the most recent version, go to the latest release.
Saved searches for the Splunk App for AWS
The Splunk App for AWS includes the following saved searches.
| Name | Purpose | Accelerated | Action required |
|---|---|---|---|
| AWS Billing - Account Name | Accelerates Billing Account ID to friendly name mapping. | Yes | Automatically enabled, no action required. |
| AWS Billing - Tags | Extract user tags from billing data. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| AWS Billing Metadata | Extract all sub account ids from billing data. | Yes | Automatically enabled, no action required. |
| AWS Config - Tags | Extract user tags from config data. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| AWS Description - Tags | Extract user tags from description data. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Billing Alert: Account Total Cost | Billing alert template used for alerting user when the cost of a specific account reaches a threshold. | No | To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app. |
| Billing Alert: Service Total Cost | Billing alert templates used for alerting user when the cost of a specific service reaches a threshold. | No | To use this alert, first modify the search to include a service name, then enable the alert on the Alerts page in the app. |
| Billing Alert: Subaccount Service Total Cost | Billing alert templates used for alerting user when the cost of a specific service for a subaccount reaches a threshold. | No | To use this alert, first modify the search to include your billing account ID and a service name, then enable this alert on the Alerts page in the app. |
| Billing Alert: Subaccount Total Cost | Billing alert templates used for alerting user when the cost of a specific subaccount reaches a threshold. | No | To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete Roles | CloudTrail alert triggered by creation or deletion of roles in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Access Keys | CloudTrail alert triggered by creation, deletion, or update of access keys in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Groups | CloudTrail alert triggered by creation, deletion, or update of groups in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Create/Delete/Update Users | CloudTrail alert triggered by creation, deletion, or update of users in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: IAM: Group Membership Updates | CloudTrail alert triggered by group membership changes in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions | CloudTrail alert triggered by reboot, stop, or termination actions in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Instances: Run/Start Actions | CloudTrail alert triggered by run or start actions in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs | CloudTrail alert triggered by creation, deletion, or importation of Key Pairs in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Security Groups: Create/Delete Groups | CloudTrail alert triggered by creation or deletion of security groups in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: Unauthorized Actions | CloudTrail alert triggered by any unauthorized actions in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete VPC | CloudTrail alert triggered by the creation or deletion of VPCs in AWS. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete/Attach Network Interfaces | CloudTrail alert triggered by creation, deletion, or attachment of network interfaces in VPCs. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail Alert: VPC: Create/Delete/Replace Network ACLs | CloudTrail alert triggered by creation, deletion, or replacement of network ACLs in VPCs. | No | To use this alert, enable this alert on the Alerts page in the app. |
| CloudTrail EventName Generator | Extracts the eventnames from CloudTrail. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology CPU Metric Generator | Gets past day's average value for CPU Percentage from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and CPU Utilization layer. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Disk IO Metric Generator | Gets past day's average value for Disk IO Operation Count from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Network Traffic Metric Generator | Gets past day's average value for Network IO Size from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Volume IO Metric Generator | Gets past day's average value for Volume IO Operation Count from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| CloudWatch: Topology Volume Traffic Metric Generator | Gets past day's average value for Volume IO Size from CloudWatch every 20 minutes. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
| Config: Topology Data Generator | Collects data from AWS Config required to render the Topology dashboard. | No | Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
Last modified on 12 May, 2016
| Share data in the Splunk App for AWS | Lookups for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.1
Download manual
Feedback submitted, thanks!