Splunk® App for AWS

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Use a custom index for storing AWS accounts and inputs data

Most configuration for the app is handled in the add-on. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for AWS, see Installation and configuration overview for the Splunk Add-on for AWS.

By default, your AWS accounts and inputs data are stored in a predefined index named "summary." If you want to use a custom index, perform the following steps:

  1. Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes for information about creating an index.
  2. In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  3. In the Splunk Add-on for AWS, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
    1. Go to Settings > searches, reports, and alerts.
    2. In the Actions column, click Run for each saved search.
  4. In the Splunk App for AWS, modify the aws-account-summary and aws-input-summary macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  5. In the Splunk App for AWS, run the Addon Synchronization saved search to sync the macros.
PREVIOUS
Configure dashboard warning messages and billing options
  NEXT
Upgrade the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS: 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0


Comments

In case account are not added in Add-on, for instance they are using HEC, you can run search in SH to add AWS Account one by one in lookup: (please replace the the fake account_id and name)
| makeresults count=1 | eval account_id=12345678, name="xyz" | table account_id, name | append [| inputlookup all_account_ids.csv] | dedup account_id | outputlookup all_account_ids.csv

Pchen splunk, Splunker
August 22, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters