Splunk® App for AWS (Legacy)

Installation and Configuration Manual

Acrobat logo Download manual as PDF


On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Add a CloudWatch Logs input for the Splunk App for AWS

Create a CloudWatch Logs input to capture IP traffic flow data for the network interfaces in your resources.

Note: If you have a high volume of data in your CloudWatch Logs, do not use this input. Instead, configure a Kinesis input in the Splunk Add-on for AWS and choose the source type aws:cloudwatchlogs or aws:cloudwatchlogs:vpcflow.

Prerequisites

Before you can successfully configure a CloudWatch Logs input, you need to:

1. Enable CloudWatch logging (including VPC flow logging) in all the regions that you want to track data in the Splunk App for AWS. If you have not already done this, see Configure your AWS services for the Splunk App for AWS in this manual.

2. Make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID or EC2 IAM role that has the necessary permissions to gather this data. If you have not already done this, see Configure your AWS permissions for the Splunk App for AWS in this manual.

Add a new CloudWatch Logs input

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudWatch Logs box, click New Input.

3. Select the friendly name of the AWS Account that you want to use to collect CloudWatch Logs data. If you have not yet configured the account you need, click Add New Account to configure one now.

4. Under Log Groups, select a Region for which you have enabled CloudWatch Logging.

5. Click Select a log group to view the log group names for the region you have selected. If you do not see any, verify that you have completed all steps in the prerequisites.

6. Select the log group names that you want to gather data from.

7. Click the + button to add another log group. You can gather data from multiple log groups within a single region or from different regions.

8. Repeat steps 4 - 7 until you have configured log group names for all the regions where you have CloudWatch Logging enabled in AWS.

9. Under Source Type, select one of these source types:

  • aws:cloudwatchlogs: Data from the CloudWatch Logs service.
  • aws:cloudwatchlogs:vpcflow: VPC flow logs from the CloudWatch Logs service.

10. (Recommended) Configure a custom Index.

11. Click Add to save and enable this data input.

When you create the data input, the Splunk App for AWS immediately begins collecting your CloudWatch Log data, including all historical data, and checks for updates every ten minutes.

Edit or delete a CloudWatch Logs input

You can view, edit, or delete your existing CloudWatch Logs inputs from the CloudWatch Logs Inputs screen.

1. In the app, click Configure in the app navigation bar.

2. Under Data Sources, in the CloudWatch Logs box, click the link that tells you how many inputs you currently have configured for CloudWatch Logs.

3. The CloudWatch Logs Inputs screen displays a list of CloudWatch Logs inputs, organized by the name auto-assigned to the input.

4. From here, you can click the names to open the individual inputs to edit them, or you can delete an input by clicking the trash can icon.

Note: If you delete an input and then add a new one for the same log group, the app collects all your historical data again.

Last modified on 14 November, 2016
PREVIOUS
Add a CloudWatch input for the Splunk App for AWS
  NEXT
Add a Billing input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters