Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Saved searches for the Splunk App for AWS

The Splunk App for AWS includes the following saved searches.

To enable or disable a saved search:

  1. From the Settings menu, choose Searches, reports, and alerts.
  2. Locate the saved search by filtering the list or entering the name of the saved search in the filter field to search for it.
  3. Under the Action column of the saved search, choose Edit > Enable/Disable to enable or disable it.

The "Addon Metadata - Summarize AWS Inputs" saved search is included in the Splunk Add-on for AWS and is disabled by default, but you MUST enable this saved search on the add-on side for the Splunk App for AWS to work properly. The saved search is used to aggregate inputs and accounts data in the "summary" index.

Name Purpose Action required
Amazon Inspector: Topology Amazon Inspector Recommendation Generator Generates Amazon Inspector data for the Amazon Inspector & Config Rules layer on the Topology dashboard. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
App Upgrader Migrates topology data, refreshes the detailed billing data model, and enables newly introduced saved searches to complete the app upgrade. Automatically enabled. No action required.
Anomaly Detection (billing_d, cloudtrail_d, cloudtrail_h) Used for anomaly detection. Automatically enabled when you configure an anomaly detection rule. No action required. Scheduled to run once on a daily basis.
AWS Billing - Account Name Populates an Account name lookup file, account_name.csv, so that the app dashboards can display friendly names for the account IDs in your billing reports. This saved search runs automatically the first time that a user access one of the four dashboards that contain billing data. If you have a large amount of data, this search may take up to a minute to fully populate the lookup file with the friendly names that correspond to the account IDs in the reports. After the lookup generation is complete, the dashboard prompts you to reload the page to display your friendly account names. This search is not scheduled, so after it runs the first time the lookup is not updated again. If, in future months, your billing reports include additional accounts, you may want to rerun the saved search manually to capture the new friendly names for those accounts.
AWS: calculate data volume indexed Calculates how much data volume the app and add-on have ingested daily. Automatically enabled. No action required. Scheduled to run once daily at twenty minutes past midnight.
AWS Config - Tags Extract user tags from config data. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
AWS Description - CloudFront Edges Generates metadata of Cloudfront Edges. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. No action required. Scheduled to run once on a daily basis. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
AWS Description - Tags Extract user tags from description data. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Billing Alert: Account Total Cost Billing alert template used for alerting user when the cost of a specific account reaches a threshold. To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app.
Billing Alert: Service Total Cost Billing alert templates used for alerting user when the cost of a specific service reaches a threshold. To use this alert, first modify the search to include a service name, then enable the alert on the Alerts page in the app.
Billing Alert: Subaccount Service Total Cost Billing alert templates used for alerting user when the cost of a specific service for a subaccount reaches a threshold. To use this alert, first modify the search to include your billing account ID and a service name, then enable this alert on the Alerts page in the app.
Billing Alert: Subaccount Total Cost Billing alert templates used for alerting user when the cost of a specific subaccount reaches a threshold. To use this alert, first modify the search to include your billing account ID, then enable this alert on the Alerts page in the app.
Billing CUR: Billing Reports AssemblyId Generator Populates the billing_report_assemblyid_cur.csv lookup to map the month's AWS Cost and Usage Report to the assemblyId. Runs automatically the first time a user accesses a dashboard that contains billing data. Schedule to run once a day. If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search.
Billing CUR: Topology Billing Metric Generator Generates billing data from the AWS Cost and Usage Report for the Billing layer on the Topology dashboard. Automatically enabled when you configure an input from the Configure tab. Scheduled to run every hour. If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search.
Billing: Detailed Reports List Used to reduce the loading time of the "Select Billing Tags" window on the Configure dashboard. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run once daily at 10pm. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Billing: Topology Billing Metric Generator Generates billing data for Billing layer on the Topology dashboard. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudTrail Base Search Used for report acceleration. Accelerated search. No action required.
CloudTrail Timechart Search Used for report acceleration. Accelerated search. No action required.
CloudTrail S3 Data Event Search Used for report acceleration. Accelerated search. No action required.
CloudTrail Alert: IAM: Create/Delete Roles CloudTrail alert triggered by creation or deletion of roles in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Access Keys CloudTrail alert triggered by creation, deletion, or update of access keys in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Groups CloudTrail alert triggered by creation, deletion, or update of groups in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: IAM: Create/Delete/Update Users CloudTrail alert triggered by creation, deletion, or update of users in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: IAM: Group Membership Updates CloudTrail alert triggered by group membership changes in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: Instances: Reboot/Stop/Terminate Actions CloudTrail alert triggered by reboot, stop, or termination actions in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: Instances: Run/Start Actions CloudTrail alert triggered by run or start actions in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: Key Pairs: Create/Delete/Import Key Pairs CloudTrail alert triggered by creation, deletion, or importation of Key Pairs in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: Security Groups: Create/Delete Groups CloudTrail alert triggered by creation or deletion of security groups in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: Unauthorized Actions CloudTrail alert triggered by any unauthorized actions in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: VPC: Create/Delete VPC CloudTrail alert triggered by the creation or deletion of VPCs in AWS. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: VPC: Create/Delete/Attach Network Interfaces CloudTrail alert triggered by creation, deletion, or attachment of network interfaces in VPCs. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail Alert: VPC: Create/Delete/Replace Network ACLs CloudTrail alert triggered by creation, deletion, or replacement of network ACLs in VPCs. To use this alert, enable this alert on the Alerts page in the app.
CloudTrail EventName Generator Extracts the eventnames from CloudTrail. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology CPU Metric Generator Gets past day's average value for CPU Percentage from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and CPU Utilization layer. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Disk IO Metric Generator Gets past day's average value for Disk IO Operation Count from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Network Traffic Metric Generator Gets past day's average value for Network IO Size from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume IO Metric Generator Gets past day's average value for Volume IO Operation Count from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume Traffic Metric Generator Gets past day's average value for Volume IO Size from CloudWatch every hour. It is used on topology dashboard in the KPI tooltip and the Network Traffic layer. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology Daily Snapshot Generator Generates daily snapshot of AWS topology. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every day. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology Monthly Snapshot Generator Generates monthly snapshot of AWS topology. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every month. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology History Appender Appends new AWS Config data collected through the Splunk Add-on for AWS to summary index, which is used to generate the AWS topology snapshot. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology Playback Appender Converts AWS Config data into topology summary index used by the topology playback feature. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every day. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology History Generator Migrates previous AWS Config data before update to summary index, which is used to generate the AWS topology snapshot. Automatically scheduled to run once shortly after upgrade. No action required. You can also manually run this saved search after upgrading the app from an earlier version.
Config Rules: Topology Config Rules Generator Generates Config Rules data for the Amazon Inspector & Config Rules layer on the Topology dashboard. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config Rules Alert: New Non-Compliant Resource Sends an alert when a new non-compliant resource is found by Config Rules during the previous day. To use this alert, enable this alert on the Alerts page in the app.
Insights Alert: Billing Anomaly Detection Used for alerting the user when anomalies have been detected in Billing data. To use this alert, enable this alert on the Alerts page in the app.
Insights Alert: Security Anomaly Detection Used for alerting the user when anomalies have been detected in CloudTrail data. To use this alert, enable this alert on the Alerts page in the app.
Insights: ELB, Insights: EIP, Insights: EBS Used to generate insights. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
ELB Alert: latency Sets off an alert when ELB latency is greater than 100 seconds. To use this alert, enable this alert on the Alerts page in the app.
Machine Learning Recommendation This saved search runs every day to generate Recommendations on the Topology dashboard. Automatically enabled. No action required. Scheduled to run every night at 9pm. Splunk recommends that you not run this search manually.
RI Expiration Alert - RI Plans expired within one month Sets off an alert when an RI plan is about to expire within one month. To use this alert, enable this alert on the Alerts page in the app.
Addon Synchronization Synchronizes macro searches between the Splunk Add-on for AWS and the Splunk App for AWS. If you use any indexes other than main, run this macro to update the app's index macro.
VPC Flow Logs Summary Generator (Dest Port, Dest IP, Src IP) Generates VPC Flow Logs data in summary index. Automatically enabled when you configure any input through the Splunk App for AWS Configure tab. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Last modified on 07 November, 2019
Share data in the Splunk App for AWS   Lookups for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters