On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
The Splunk App for AWS includes the opt-in ability to send anonymized usage data to Splunk to help improve the app in future releases. You opt in/out by enabling/disabling Anonymized Usage Data under Settings > Instrumentation on the Splunk Web UI.
For more information about how Splunk collects and uses data, please refer to the Splunk Privacy Policy.
How data is collected
If you opt in, the app enables an internal library to track basic usage and crash information. The library uses browser cookies to track app user visitor uniqueness and sessions and sends events to Splunk using XHR in JSON format.
What data is collected
If enabled, the Splunk App for AWS sends five different kinds of events to Splunk.
| Event | Source Type | Description | Data sent includes common fields, plus | ||
|---|---|---|---|---|---|
| Field | Type | Description | |||
| Session start | mint:ping
|
Each ping event indicates that a new session has started. | fsEncrypted
|
N/A | Not used, always "NA" |
rooted
|
N/A | Not used, always false | |||
| Session end | mint:gnip
|
Each gnip event indicates that a session has ended. | ses_duration
|
int | How long the session lasted |
| Page views | mint:view
|
Triggered once per page view in the app. | current
|
string | The URL of the current web page, without the hostname. |
currentView
|
string | Not used. Hardcoded to 'examples'. | |||
domProcessingTime
|
int | Time spent to process the domain. | |||
domLookupTime
|
int | Time spent to look up the domain name. | |||
elapsedTime
|
int | Time spent to render the page. | |||
host
|
string | The hostname in the URL. | |||
loadTime
|
int | Time spent to load the page. | |||
previous
|
string | The referrer URL. | |||
serverTime
|
int | Time spent to get a response from the server. | |||
| App performance and configuration |
mint:log
|
Usage and performance logs for the Splunk App for AWS that track dashboard memory usage, dashboard loading times, the number of accounts, inputs, and regions configured in the app, and non-sensitive input configuration parameters (for example, SQS queue names and S3 bucket names are not collected.) | level
|
int | Log level. For example, 60 means 'error'. |
log_name
|
any | Log content. See examples below. | |||
| API calls | mint:network
|
XMLHTTPRequest calls, usually HTTP API calls from client side (browser) to the Splunk server. | failed
|
boolean | Indicates if the request failed or not. |
latency
|
int | Time spent before response received. | |||
protocol
|
string | Network protocol: either http or https. | |||
requestLength
|
string | N/A. Not used. | |||
responseLength
|
int | The size of the response. | |||
statusCode
|
string | HTTP response code. | |||
url
|
string | The request URL, without the hostname. | |||
Common fields
The data that the Splunk App for AWS sends to Splunk, if enabled, includes the following common fields. This set of fields includes several fields that are disabled or deliberately not used for the Splunk App for AWS for purposes of anonymization.
| Field | Type | Description | Example value |
|---|---|---|---|
apiKey
|
string | MINT API key for the Splunk App for AWS | 4t2fk73n |
appRunningState
|
Field is unused by the SDK. Shows a value of "NA" in all events. | ||
appVersionCode
|
Field is unused by the SDK. Shows a value of "NA" in all events. | ||
appVersionName
|
string | The version name of the app sending data. | 4.1.0 |
browser
|
string | The browser name. | Chrome |
browserVersion
|
string | The browser version. | 47.0.2526.111 |
carrier
|
Field is unused by the SDK. Shows a value of "NA" in all events. | ||
connection
|
Field is unused by the SDK. Shows a value of "NA" in all events. | ||
device
|
string | The device making the request. | MacIntel |
extraData
|
JSON object | This field stores custom information for the app. This app uses extraData.splunk_version to store the version number of the Splunk platform instance.
|
6.3.1511 |
locale
|
string | The user locale set in the browser. | en-US |
osVersion
|
string | The version code of the underlying operating system. | OS X 10.11.2 |
packageName
|
string | The package name of the Splunk App for AWS. | splunk_app_aws |
platform
|
Not used for the Splunk App for AWS. Shows a value of "web" in all events. | ||
remoteIP
|
Not used for the Splunk App for AWS. Shows a value of "3.0.0.0" in all events. | ||
sdkVersion
|
string | The version of the SDK. | 4.3 |
screenOrientation
|
Field is unused by the SDK. Shows a value of "NA" in all events. | ||
session_id
|
string | A unique string to identify a session. | a5026251 |
state
|
string | Indicator of whether the browser is online or not. Can be either CONNECTED or DISCONNECTED. | CONNECTED |
uuid
|
UUID | A random identifier to track the user's uniqueness | 837227ea-4569-4675-9a17-ccb39ca69505 |
Example app performance and configuration events
The Splunk App for AWS sends performance and configuration information using the log_name field in the mint:log source type. This log_name field contains two sub-fields, name, which indicates which type of logs are being transmitted, and data, the content of the tracking log.
There are three possible options for name:
track_performance. When a user accesses a dashboard in the app, the Splunk App for AWS sends performance logs for dashboard memory usage and loading times.track_configuration. When a Splunk admin visits the Configure page, the Splunk App for AWS sends a log of the number of accounts, inputs, and regions configured in the app, and non-sensitive input configuration parameters. (For example, SQS queue names and S3 bucket names are not collected.)track_usage. When a Splunk admin visits the Configure page, the Splunk App for AWS sends a log of the data volume that each input is responsible for.
The following examples demonstrate what data the Splunk App for AWS sends for each type of event.
log_name.name
|
Example JSON object |
|---|---|
track_performance
|
{
"memory":{
"totalJSHeapSize":72200000,
"usedJSHeapSize":39600000,
"jsHeapSizeLimit":1620000000
},
"timing":{
"navigationStart":1453273923766,
"unloadEventStart":1453273923929,
"unloadEventEnd":1453273923930,
"redirectStart":0,
"redirectEnd":0,
"fetchStart":1453273923766,
"domainLookupStart":1453273923766,
"domainLookupEnd":1453273923766,
"connectStart":1453273923766,
"connectEnd":1453273923766,
"secureConnectionStart":0,
"requestStart":1453273923773,
"responseStart":1453273923927,
"responseEnd":1453273923929,
"domLoading":1453273923939,
"domInteractive":1453273923975,
"domContentLoadedEventStart":1453273923975,
"domContentLoadedEventEnd":1453273923975,
"domComplete":1453273926985,
"loadEventStart":1453273926985,
"loadEventEnd":1453273926987
}
}
|
track_configuration
|
{
"addon":{
"isLocal":true,
"version":"4.0.0"
},
"accounts":{
"count":3,
"details":[
{
"name":"testaccount4",
"category":"4"
},
{
"name":"testaccount1",
"category":"1"
},
{
"name":"Peter",
"category":"1"
}
]
},
"inputs":{
"config":{
"count":1,
"details":[
{
"account":"Peter",
"regions":"ap-southeast-1",
"index":"main",
"interval":"30"
}
]
},
"billing":{
"count":1,
"details":[
{
"account":"Peter",
"index":"main",
"interval":"86400",
"billing_daily_type":"2",
"billing_montly_type":"2"
}
]
},
"cloudwatch-logs":{
"count":2,
"details":[
{
"account":"Peter",
"regions":"ap-southeast-1",
"index":"history",
"interval":"600"
},
{
"account":"Peter",
"regions":"ap-southeast-1,ap-southeast-2",
"index":"history",
"interval":"600"
}
]
},
"cloudwatch":{
"count":2,
"details":[
{
"account":"testaccount4",
"regions":"cn-north-1",
"index":"default",
"interval":"3600",
"metric_namespaces":"[\"AWS/Billing\", \"AWS/EBS\", \"AWS/EC2\", \"AWS/ELB\", \"AWS/S3\", \"AWS/SNS\", \"AWS/SQS\"]",
"metric_details":"[{\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"ServiceName\": [\".*\"], \"Currency\": \".*\"}], \"metrics\": [\"EstimatedCharges\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"VolumeId\": [\".*\"]}], \"metrics\": [\"VolumeWriteOps\", \"VolumeTotalReadTime\", \"VolumeQueueLength\", \"VolumeTotalWriteTime\", \"VolumeWriteBytes\", \"VolumeIdleTime\", \"VolumeReadOps\", \"VolumeReadBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"InstanceId\": [\".*\"]}], \"metrics\": [\"NetworkOut\", \"NetworkIn\", \"CPUCreditBalance\", \"StatusCheckFailed_Instance\", \"CPUCreditUsage\", \"StatusCheckFailed_System\", \"DiskReadOps\", \"DiskWriteBytes\", \"StatusCheckFailed\", \"CPUUtilization\", \"DiskReadBytes\", \"DiskWriteOps\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"LoadBalancerName\": [\".*\"]}], \"metrics\": [\"UnHealthyHostCount\", \"HealthyHostCount\", \"BackendConnectionErrors\", \"HTTPCode_ELB_5XX\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"BucketName\": [\".*\"], \"StorageType\": [\".*\"]}], \"metrics\": [\"NumberOfObjects\", \"BucketSizeBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"TopicName\": [\".*\"]}], \"metrics\": [\"NumberOfNotificationsFailed\", \"NumberOfMessagesPublished\", \"PublishSize\", \"NumberOfNotificationsDelivered\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"QueueName\": [\".*\"]}], \"metrics\": [\"ApproximateNumberOfMessagesVisible\", \"NumberOfMessagesSent\", \"NumberOfMessagesDeleted\", \"ApproximateNumberOfMessagesNotVisible\", \"SentMessageSize\", \"ApproximateNumberOfMessagesDelayed\", \"NumberOfMessagesReceived\", \"NumberOfEmptyReceives\"]}]"
},
{
"account":"Peter",
"regions":"eu-central-1,ap-northeast-1,eu-west-1,us-east-1,ap-southeast-1,ap-southeast-2,us-west-2,us-west-1,sa-east-1",
"index":"default",
"interval":"3600",
"metric_namespaces":"[\"AWS/Billing\", \"AWS/EBS\", \"AWS/EC2\", \"AWS/ELB\", \"AWS/S3\", \"AWS/SNS\", \"AWS/SQS\"]",
"metric_details":"[{\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"ServiceName\": [\".*\"], \"Currency\": \".*\"}], \"metrics\": [\"EstimatedCharges\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"VolumeId\": [\".*\"]}], \"metrics\": [\"VolumeIdleTime\", \"VolumeWriteBytes\", \"VolumeReadOps\", \"VolumeQueueLength\", \"VolumeReadBytes\", \"VolumeTotalWriteTime\", \"VolumeWriteOps\", \"VolumeTotalReadTime\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"InstanceId\": [\".*\"]}], \"metrics\": [\"DiskReadBytes\", \"NetworkOut\", \"StatusCheckFailed_Instance\", \"NetworkIn\", \"StatusCheckFailed\", \"StatusCheckFailed_System\", \"CPUUtilization\", \"CPUCreditBalance\", \"DiskWriteOps\", \"DiskWriteBytes\", \"DiskReadOps\", \"CPUCreditUsage\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"LoadBalancerName\": [\".*\"]}], \"metrics\": [\"UnHealthyHostCount\", \"HTTPCode_ELB_5XX\", \"HealthyHostCount\", \"BackendConnectionErrors\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"BucketName\": [\".*\"], \"StorageType\": [\".*\"]}], \"metrics\": [\"NumberOfObjects\", \"BucketSizeBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"TopicName\": [\".*\"]}], \"metrics\": [\"NumberOfNotificationsFailed\", \"NumberOfMessagesPublished\", \"PublishSize\", \"NumberOfNotificationsDelivered\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"QueueName\": [\".*\"]}], \"metrics\": [\"SentMessageSize\", \"ApproximateNumberOfMessagesNotVisible\", \"ApproximateNumberOfMessagesDelayed\", \"NumberOfMessagesDeleted\", \"NumberOfMessagesSent\", \"NumberOfMessagesReceived\", \"ApproximateNumberOfMessagesVisible\", \"NumberOfEmptyReceives\"]}]"
}
]
},
"cloudtrail":{
"count":1,
"details":[
{
"account":"Peter",
"regions":"ap-southeast-1",
"index":"main",
"interval":"30"
}
]
},
"description":{
"count":2,
"details":[
{
"account":"testaccount4",
"regions":"cn-north-1",
"index":"default"
},
{
"account":"Peter",
"regions":"eu-west-1,ap-southeast-1,ap-southeast-2,eu-central-1,ap-northeast-2,ap-northeast-1,us-east-1,sa-east-1,us-west-1,us-west-2",
"index":"main"
}
]
},
"s3":{
"count":1,
"details":[
{
"account":"Peter",
"index":"default",
"interval":null
}
]
}
}
}
|
track_usage
|
{
"usage":[
{
"time":"2016-04-30",
"volumes": {
"aws:cloudtrail": 0.035876275,
"aws:cloudwatch": 2918.7095499213,
"aws:config": 0.288619041,
"aws:s3": 0.288619041
}
}
]
}
|
What data is not collected
The following kinds of data are not collected:
- Sensitive data such as usernames or passwords
- Identifying information such as addresses, phone numbers, IP addresses, hostnames.
- Indexed data that you ingest into your Splunk platform instance
No data is collected that is not explicitly described in the What data is collected section above.
Last modified on 22 June, 2018
| Troubleshoot the Splunk App for AWS | Saved searches for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3
Download manual
Feedback submitted, thanks!