Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Inputs overview for the Splunk App for AWS

The Splunk App for AWS offers a range of inputs to gather useful data from your AWS environment to present in the app dashboards.

You can create and edit inputs through either the app (recommended) or the add-on. The add-on offers additional advanced configuration options not visible in the app configuration. Any advanced configurations you enter in the add-on are honored by the app, even when those parameters are not visible in the app's input configuration screens.

In the Splunk App for AWS, set up inputs under the Configure menu. Under Other Settings at the bottom of the Configure page, you have the option to display or suppress input-related warning messages.

The Splunk App for AWS saves your account and input configurations in the Splunk Add-on for AWS. If you open the add-on, your accounts and inputs are listed there as well.

Note: If you are using the Splunk App for AWS on a distributed, on-premises deployment of Splunk Enterprise, you must run the remote target command to connect your search head with your data collection node in order to be able to configure these inputs using the app configuration screen on your search heads. If you do not perform this step, configure your inputs through the add-on on your heavy forwarder and do not use the app configuration screens.

If you configure your inputs through the add-on, perform two additional steps:

  1. Manually enable and schedule the saved searches in this app, which you can find in the app under Search > Reports. For more information, see Saved searches for the Splunk App for AWS.
  2. Update the app's index macros using the Update Macros saved search if you are using any indexes other than "main." For more information, see Macros for the Splunk App for AWS.

The table below indicates which inputs feed data to which dashboards. Click the input name for instructions on how to configure it.

Note: For AWS Elastic Load Balancer (ELB) data inputs and dashboards, the Splunk App for AWS currently supports Classic Load Balancer only. The new Application Load Balancer (ALB) type is not supported.

Input Description Dashboards
AWS Config Configuration snapshots, historical configuration data, and change notifications from the AWS Config service. Overview
Topology
Security Groups
Resource Activity
Timeline
Config Rules Compliance details, compliance summary, and evaluation status of your AWS Config Rules. Topology
Config Rules
Timeline
CloudWatch Performance and billing metrics from the AWS CloudWatch service. Overview
Topology
Usage Overview
EC2 Instances
Individual EC2 Instances
EBS Volumes
Individual EBS Volumes
ELB Instances
Individual ELB Instances
Relational Database Service
Current Month Estimated Billing
Insights Overview
EC2 Insights
Elastic Load Balancing Insights
EBS Insights
Billing Anomaly Insights
Lambda
CloudTrail Management and change events from the AWS CloudTrail service. Overview
Topology
Security Overview
IAM Activity
VPC Activity
Security Groups
Key Pairs Activity
Network ACLs
User Activity
Insights Overview
Security Anomaly Insights
Timeline
Billing Billing data from the reports that you collect in the Billing & Cost Management console. Historical Monthly Bills
Historical Detailed Bills
Capacity Planning
S3 Generic log data and access logs from your S3 buckets, including incremental logs. Overview
CloudFront - Traffic Analysis
ELB - Traffic Analysis
S3 - Traffic Analysis
CloudWatch Logs Data from the CloudWatch Logs service, including VPC flow logs. Flow logs allow you to capture IP traffic flow data for the network interfaces in your resources. Topology
VPC Flow Logs - Traffic Analysis
VPC Flow Logs - Security Analysis
Kinesis Data from Amazon Kinesis streams. Topology
VPC Flow Logs - Traffic Analysis
VPC Flow Logs - Security Analysis
Amazon Inspector Assessment Runs and Findings data from the Amazon Inspector service. Topology
Amazon Inspector
Timeline
Metadata Metadata about your AWS resources. Overview
Usage Overview
EC2 Instances
EBS Volumes
VPC Activity
Security Groups
Key Pairs Activity
Network ACLs
Insights Overview
Elastic IP Insights
EC2 Insights
Elastic Load Balancing Insights
EBS Insights
Lambda
Timeline

For information about the source types and CIM compatibility of these inputs, see What data the Splunk App for AWS collects.

Last modified on 19 October, 2017
Upgrade the Splunk App for AWS   Add an AWS Config input for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters