Splunk® App for AWS (Legacy)

User Manual

Acrobat logo Download manual as PDF


On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
Acrobat logo Download topic as PDF

Create anomaly detection rules

Create anomaly detection rules to detect outliers in your collected data indicative of user or system behaviors that deviate from the norm so that you can further investigate and take preventive actions on potential problems. An anomaly detection rule is defined as a custom saved search scheduled to run on a regular basis. Once created, the recurring job shows in the Anomaly Detection Jobs panel in the Anomaly Detection Overview dashboard.

  1. In the Web UI, choose Search > Search.
  2. Enter a search to use as anomaly detection rule and run the search. For example, sourcetype=aws:cloudtrail | timechart count span=30m.
    Note: A valid anomaly detection rule search must contain the ... | timechart count ... search fragment that produces time-series data.
  3. Go to the Visualization tab and choose the Anomaly Detection Visualization chart.
  4. Click Schedule Job.
  5. In the Anomaly detection job settings window, schedule the anomaly detection job and enter information such as priority and train period.
    By default, saved searches run at 5 minutes past the hour on an hourly basis. Use the same frequency for alerts and make sure alerts are triggered after the search job is complete, taking into account the search execution time. By default, the alert is triggered at 15 minutes past every hour, 10 minutes after the search job is scheduled to run.
  6. Click Save.
Last modified on 29 August, 2017
PREVIOUS
Filter dashboards by tags in the Splunk App for AWS
  NEXT
Topology dashboard reference for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters