Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Add a Billing input for the Splunk App for AWS

Create a Billing input to gather monthly billing reports and detailed billing reports with resources and tags for your AWS account.

Note: The Billing input does not collect billing reports for your AWS Marketplace charges.

Prerequisites

Before you can successfully configure a Billing input, you need to:

1. Set up AWS to produce the report types that you want to collect and place them in a dedicated S3 bucket. If you have not already done this, configure both the CloudWatch (used by the Current Month Estimated Billing dashboard) and Billing (used by all other billing dashboards) services first. For information about how to configure these services, see Configure CloudWatch and Configure billing sections respectively in this manual.

2. Make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID or EC2 IAM role that has the necessary permissions to gather this data. If you have not already done this, see Configure your AWS permissions for the Splunk App for AWS in this manual.

Add a new Billing input

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the Billing box, click New Input.

3. Select the friendly name of the AWS Account that you want to use to collect billing report data. If you have not yet configured the account you need, click Add New Account to configure one now.

4. Under S3 Bucket for Billing Reports, select the name of the S3 bucket that contains your billing reports.

5. Select a starting point for report collection under Index data since.

6. Under Data sources, check the boxes next to the report types that you want to collect. The screen displays an estimated count and total size for each kind of report found in the bucket that you specified. Note that the data input automatically skips files that do not match the correct report type or have any storage class other than "Standard." If you do not want to collect all the reports or have any concerns about indexing volume, change your Index data since value or do not configure the input on this screen. Instead, see Advanced configuration for report collection for instructions on how to configure this input through the add-on.

7. (Recommended) Configure a custom Index to store this data.

8. Click Add to save and enable this data input.

Billing report collection behavior

When you create the data input, the Splunk App for AWS immediately begins collecting reports that it finds in the bucket you have specified. The collection behavior differs for Monthly cost allocation reports and Detailed billing reports with resources and tags.

  • Monthly cost allocation report collection: The first time that you run the input, the app collects all finalized Monthly cost allocation reports that it finds in the S3 bucket for all past months. Once per day, the app checks again for any new reports that have become available. The app collects a new copy of the current month's report once per day until AWS finalizes that report.
  • Detailed billing report with resources and tags collection: The first time that you run the input, the app collects all finalized Detailed billing reports with resources and tags that it finds in the S3 bucket for all past months. Once per day, the app checks again for any new reports that have become available. The app never collects the current month's detailed report until after the month has ended. In some cases, AWS continues to adjust costs in the previous month's detailed report after the month has ended. This means that it is possible that you may index multiple copies of your most recent month's detailed billing reports at the beginning of each new month. If your billing reports are very large and you wish to avoid indexing multiple copies of a not-quite-final report, see Advanced configuration for report collection.

Advanced configuration for report selection

You can configure a billing input through the Splunk Add-on for AWS instead of through the app to access advanced configuration options. Using the add-on, you can:

  • configure a regex to specify exactly which billing report file names should be collected. This allows you to limit historical collection to a particular time range and thus avoid indexing reports that you are not interested in.
  • configure a collection interval to specify when and how often to run the collection job. This is useful if you notice that AWS is updating your Detailed report after the month has ended, even though it appears to be final. If you want to avoid indexing multiple copies of pre-final Detailed billing report with resources and tags, you can configure a cron schedule for collection that skips the first several days of each new month.

For more information about how to tune billing report collection behavior using the add-on, see Add a Billing input for the Splunk Add-on for AWS.

Edit or delete a Billing input

You can view, edit, or delete your existing Billing inputs from the Billing Inputs screen.

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the Billing box, click the link that tells you how many inputs you currently have configured for Billing.

3. The Billing screen displays a list of Billing inputs, organized by the name auto-assigned to the input.

4. From here, you can click the names to open the individual inputs to edit them, or you can delete an input by clicking the trash can icon.

Last modified on 14 June, 2017
Add a VPC Flow Logs input for the Splunk App for AWS   Add an S3 input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.1.0, 4.1.1, 4.2.0, 4.2.1, 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters