Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Install the Splunk App for AWS on Splunk Enterprise

This topic covers how to install the Splunk App for AWS on a Splunk Enterprise on-premises deployment. Looking for Splunk Cloud instructions? See Install the Splunk App for AWS on Splunk Cloud.

If you are upgrading from a previous version:

Download the app and the add-on

The Splunk App for AWS relies on an add-on to handle the data input logic. You can download both the app and the add-on on Splunkbase.

  • Splunk App for AWS version 4.2.0. If you are migrating from an unsupported installation of the Splunk App for AWS (version 3.X or earlier), install the 4.2.0 version as a new app. Version 4.X has a new folder name, so it does not replace 3.X or older versions in your environment.
  • Splunk Add-on for Amazon Web Services version 4.0.0 or later. If you are migrating from an existing installation of the Splunk Add-on for AWS, you can upgrade the add-on in place. The new version of the add-on is backwards compatible with older versions.

Install on a single instance

If your Splunk Enterprise deployment is a single instance, install both the app and the add-on to your single instance. You can use the Install app from file feature in the Manage Apps page in Splunk Web to install both packages, or install manually using the command line.

After you restart Splunk Enterprise, you may be prompted to set up the add-on. Choose Set up later because you will perform your setup through the app rather than the add-on.

If you are migrating from a 3.X or older version, go next to Migrate from an unsupported version of the Splunk App for AWS in the version 4.0.0 documentation. Otherwise, proceed to Add AWS accounts for the Splunk App for AWS.

Install on a distributed deployment

If your Splunk Enterprise deployment is distributed, follow these steps.

  1. Install both the app and add-on to your search heads.
  2. Turn off add-on visibility on your search heads.
  3. Install the add-on to a heavy forwarder.
  4. (Optional) Run the remote target command to connect your forwarder to your search heads. This step supports easy app configuration from the search head.
  5. If you are migrating from a previous version of the app, read the migration guide.

Deploy the app and the add-on to your search heads

If you are deploying to one or more individual search heads, follow your preferred method of deploying both the app and the add-on. You can:

  • follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • install manually using the command line.
  • use a deployment server to deploy the unconfigured packages to your search heads. Do not configure the app or add-on prior to deploying it.

Turn off visibility for the add-on on your search heads

After you have deployed the app and the add-on to your search heads, change the visibility setting for the add-on on each search head to make it not visible. This step helps prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.

  1. Go to Apps > Manage Apps.
  2. Find the Splunk Add-on for AWS, with the folder name Splunk_TA_aws, in the list, and click Edit properties.
  3. Under Visible, click the radio button next to No.
  4. Click Save.
  5. Repeat these steps on all search heads.

Deploy the app and the add-on to your search head cluster

Install the app and the add-on using the deployer. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual in the Splunk Enterprise documentation.

To prepare the app and add-on for deployment in a search head cluster, some files must be removed to prevent validation errors on startup:

  1. On the deployer, remove the eventgen.conf file from the add-on folder: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/default
  2. On the deployer, remove the inputs.conf file from the add-on folder: $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/default
  3. On the deployer, remove all files in the folder $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/samples.

To turn off visibility for the add-on, update the app.conf.

  1. On the deployer, create an app.conf file in the folder $SPLUNK_HOME/etc/shcluster/apps/Splunk_TA_aws/local.
  2. Edit the local/app.conf file.
  3. Turn off visibility using the is_visible setting. Example:
[ui]
is_visible =  false

Deploy the add-on to a heavy forwarder

Follow your preferred method of deploying the Splunk Add-on for Amazon Web Services to one or more heavy forwarders. You can:

  • follow the Install app from file wizard on the Manage Apps screen in Splunk Web.
  • install manually using the command line.
  • use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

Note: The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python. In addition, if you choose to configure AWS accounts in the add-on instead of the app, you must do so using the add-on's configuration UI in Splunk Web rather than in the configuration files.

Run the remote target command to connect your search head and forwarder (optional)

The Splunk App for AWS offers the ability to manage your configuration and inputs in the app on your search heads rather than through the add-on on your forwarder. This means that, after you install all the components and perform the steps in this section, you do not need to manage any configurations from your forwarder. Instead, you can configure everything from the search head and the Splunk platform pushes all your configuration parameters to your forwarder. No AWS credential or configuration information is stored on the search heads. The forwarder receives the configuration information and performs the data collection and parsing as it normally would.

Do not use the remote target command if either of the following are true:

  • You have proxies, firewalls, or security group inbound settings blocking your search head's access to port 8089 on your heavy forwarder.
  • You need to use more than one heavy forwarder to handle data inputs for AWS.

If you do not use this command:

  • Perform all configuration activity using the Splunk Add-on for AWS on one or more heavy forwarders.
  • Avoid using the Configure tab in the app on your search heads to make any changes to your input or account settings. Using the Configure tab in the app without running this command causes any configurations made there to be stored on your search head, leading to potential conflicts or duplicated inputs.
  • Manually enable and schedule the saved searches in this app, which you can find in the app under Search > Reports. For more information, see Saved searches for the Splunk App for AWS.
  • Manually update the app's index macros if you are using indexes other than "main" for your AWS data. For more information, see Macros for the Splunk App for AWS.

To connect your search head and forwarder with the remote target command, perform the following steps on each search head, even if you have a search head cluster. If you are on Windows, replace all forward slashes with backslashes.

1. Open terminal and run 

cd $SPLUNK_HOME/bin

2. To set your forwarder as the remote target of the search head, run 

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -set -host <search_head_ip> -port <search_head_mgmt_port> -username <username> -password <password> -t_host <target_forwarder_ip> -t_username <target_username> -t_password <target_password> -t_port <target_mgmt_port>

3. To show the current target, run 

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -get -username <username> -password <password>

If a remote target exists, the command returns a brief report. If the remote target cannot be found, for example because the forwarder did not have the add-on installed or the add-on was in an unsupported version, the command returns an error.

Example: 

$ cd $SPLUNK_HOME/bin
$ ./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -set -host 10.66.130.123 -port 8089 -username shuser -password shpassword -t_host 10.66.130.200 -t_username fwduser -t_password fwdpassword -t_port 8089
$ ./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -get -username shuser -password shpassword
============================
10.66.130.200
============================
username=fwduser
eai:appName=splunk_app_aws
eai:userName=nobody
port=8089
password=fwdpassword
disabled=0
$

If, instead of a result statement like the one shown above, you see a "connection refused" error, check that your heavy forwarder is running and try again. If you see a "connection timed out" error, verify that the target port is accessible.

If you need to remove the remote target configuration at any time, you can run a removal command from the $SPUNK_HOME/bin directory on each search head. 

./splunk cmd python ../etc/apps/splunk_app_aws/bin/cli/targets_helper.py -remove -username <username> -password <password> -t_host <target_forwarder_ip>

Migrate your data from a previous version

If you are migrating from an unsupported version of the Splunk App for AWS (3.X or earlier), see Migrate from an unsupported version of the Splunk App for AWS in the version 4.0.0 documentation.

If you are upgrading from a previous version, see Upgrade guide for the Splunk App for AWS in the Release Notes if you are upgrading from the most recent version.

Last modified on 06 July, 2016
Install the Splunk App for AWS on Splunk Cloud   Add AWS accounts for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.2.0, 4.2.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters