Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Macros for the Splunk App for AWS

The Splunk App for AWS includes a set of macros that support dashboard performance. In most circumstances, you do not need to edit these macros.

If you are on a distributed deployment of Splunk Enterprise and you are not using the remote target command and thus managing inputs from the Splunk Add-on for AWS rather than the app, you need to update the index macros on your search heads to include any custom indexes that you are using for your AWS data by running the Update Macros saved search.

Name Default macro definition Update required if you manage inputs from the add-on rather than the app
aws-cloudtrail-index (index="main" OR index="aws-cloudtrail") If you are using any index for your CloudTrail data other than main, aws-cloudtrail, or another default index you have set for your environment, add it to this definition.
aws-config-index (index="main" OR index="aws-config") If you are using any index for your Config data other than main, aws-config, or another default index you have set for your environment, add it to this definition.
aws-billing-index (index="main" OR index="default") If you are using any index for your Billing data other than main or another default index you have set for your environment, add it to this definition.
aws-cloudwatch-index (index="main" OR index="default") If you are using any index for your CloudWatch data other than main or another default index you have set for your environment, add it to this definition.
aws-description-index (index="main" OR index="default") If you are using any index for your Description data other than main, add it to this definition.
aws-config-rule-index (index="main" OR index="default") If you are using any index for your Config Rule data other than main, add it to this definition.
aws-inspector-index (index="main" OR index="default") If you are using any index for your Amazon Inspector data other than main, add it to this definition.
aws-s3-index (index="main") If you are using any indexes for your S3 access logs, ELB access logs, and CloudFront access logs other than main, add them to this definition.
aws-health-index (index="main") If you are using any index for your AWS Personal Health data other than main, add it to this definition.
aws-cloudwatch-logs-index (index="main" OR index="default") If you are using any indexes other than main for your CloudWatch Logs data, including any data that you collect through the add-on's Kinesis input, add it to this definition.

If you do not run the Update Macros saved search to automatically update the macros, you can manually edit these macros to add your custom indexes.

  1. On each search head, go to Settings > Advanced search > Search macros.
  2. Change the App context to Splunk App for AWS (splunk_app_aws).
  3. Sort the list by Definition.
  4. Look for the macros with definitions that start with (index=.
  5. Open each macro and edit the definition string to include your custom indexes.

Alternatively, you can make these edits in $SPLUNK_HOME/etc/apps/splunk_app_aws/local/macros.conf on each search head.

Last modified on 22 November, 2016
Data models for the Splunk App for AWS  

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters