Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Share data in the Splunk App for AWS

The Splunk App for AWS includes the opt-in ability to send anonymized usage data to Splunk to help improve the app in future releases. You opt in/out by enabling/disabling Anonymized Usage Data under Settings > Instrumentation on the Splunk Web UI.

For more information about how Splunk collects and uses data, please refer to the Splunk Privacy Policy.

How data is collected

If you opt in, the app enables an internal library to track basic usage and crash information. The library uses browser cookies to track app user visitor uniqueness and sessions and sends events to Splunk using XHR in JSON format.

What data is collected

If enabled, the Splunk App for AWS sends five different kinds of events to Splunk.

Event Source Type Description Data sent includes common fields, plus
Field Type Description
Session start mint:ping Each ping event indicates that a new session has started. fsEncrypted N/A Not used, always "NA"
rooted N/A Not used, always false
Session end mint:gnip Each gnip event indicates that a session has ended. ses_duration int How long the session lasted
Page views mint:view Triggered once per page view in the app. current string The URL of the current web page, without the hostname.
currentView string Not used. Hardcoded to 'examples'.
domProcessingTime int Time spent to process the domain.
domLookupTime int Time spent to look up the domain name.
elapsedTime int Time spent to render the page.
host string The hostname in the URL.
loadTime int Time spent to load the page.
previous string The referrer URL.
serverTime int Time spent to get a response from the server.
App performance
and configuration
mint:log Usage and performance logs for the Splunk App for AWS that track dashboard memory usage, dashboard loading times, the number of accounts, inputs, and regions configured in the app, and non-sensitive input configuration parameters (for example, SQS queue names and S3 bucket names are not collected.) level int Log level. For example, 60 means 'error'.
log_name any Log content. See examples below.
API calls mint:network XMLHTTPRequest calls, usually HTTP API calls from client side (browser) to the Splunk server. failed boolean Indicates if the request failed or not.
latency int Time spent before response received.
protocol string Network protocol: either http or https.
requestLength string N/A. Not used.
responseLength int The size of the response.
statusCode string HTTP response code.
url string The request URL, without the hostname.

Common fields

The data that the Splunk App for AWS sends to Splunk, if enabled, includes the following common fields. This set of fields includes several fields that are disabled or deliberately not used for the Splunk App for AWS for purposes of anonymization.

Field Type Description Example value
apiKey string MINT API key for the Splunk App for AWS 4t2fk73n
appRunningState Field is unused by the SDK. Shows a value of "NA" in all events.
appVersionCode Field is unused by the SDK. Shows a value of "NA" in all events.
appVersionName string The version name of the app sending data. 4.1.0
browser string The browser name. Chrome
browserVersion string The browser version. 47.0.2526.111
carrier Field is unused by the SDK. Shows a value of "NA" in all events.
connection Field is unused by the SDK. Shows a value of "NA" in all events.
device string The device making the request. MacIntel
extraData JSON object This field stores custom information for the app. This app uses extraData.splunk_version to store the version number of the Splunk platform instance. 6.3.1511
locale string The user locale set in the browser. en-US
osVersion string The version code of the underlying operating system. OS X 10.11.2
packageName string The package name of the Splunk App for AWS. splunk_app_aws
platform Not used for the Splunk App for AWS. Shows a value of "web" in all events.
remoteIP Not used for the Splunk App for AWS. Shows a value of "3.0.0.0" in all events.
sdkVersion string The version of the SDK. 4.3
screenOrientation Field is unused by the SDK. Shows a value of "NA" in all events.
session_id string A unique string to identify a session. a5026251
state string Indicator of whether the browser is online or not. Can be either CONNECTED or DISCONNECTED. CONNECTED
uuid UUID A random identifier to track the user's uniqueness 837227ea-4569-4675-9a17-ccb39ca69505

Example app performance and configuration events

The Splunk App for AWS sends performance and configuration information using the log_name field in the mint:log source type. This log_name field contains two sub-fields, name, which indicates which type of logs are being transmitted, and data, the content of the tracking log.

There are three possible options for name:

  • track_performance. When a user accesses a dashboard in the app, the Splunk App for AWS sends performance logs for dashboard memory usage and loading times.
  • track_configuration. When a Splunk admin visits the Configure page, the Splunk App for AWS sends a log of the number of accounts, inputs, and regions configured in the app, and non-sensitive input configuration parameters. (For example, SQS queue names and S3 bucket names are not collected.)
  • track_usage. When a Splunk admin visits the Configure page, the Splunk App for AWS sends a log of the data volume that each input is responsible for.

The following examples demonstrate what data the Splunk App for AWS sends for each type of event.

log_name.name Example JSON object
track_performance
{ 
 "memory":{ 
   "totalJSHeapSize":72200000,
   "usedJSHeapSize":39600000,
   "jsHeapSizeLimit":1620000000
 },
 "timing":{ 
   "navigationStart":1453273923766,
   "unloadEventStart":1453273923929,
   "unloadEventEnd":1453273923930,
   "redirectStart":0,
   "redirectEnd":0,
   "fetchStart":1453273923766,
   "domainLookupStart":1453273923766,
   "domainLookupEnd":1453273923766,
   "connectStart":1453273923766,
   "connectEnd":1453273923766,
   "secureConnectionStart":0,
   "requestStart":1453273923773,
   "responseStart":1453273923927,
   "responseEnd":1453273923929,
   "domLoading":1453273923939,
   "domInteractive":1453273923975,
   "domContentLoadedEventStart":1453273923975,
   "domContentLoadedEventEnd":1453273923975,
   "domComplete":1453273926985,
   "loadEventStart":1453273926985,
   "loadEventEnd":1453273926987
 }
}
track_configuration
{  
   "addon":{  
      "isLocal":true,
      "version":"4.0.0"
   },
   "accounts":{  
      "count":3,
      "details":[  
         {  
            "name":"testaccount4",
            "category":"4"
         },
         {  
            "name":"testaccount1",
            "category":"1"
         },
         {  
            "name":"Peter",
            "category":"1"
         }
      ]
   },
   "inputs":{  
      "config":{  
         "count":1,
         "details":[  
            {  
               "account":"Peter",
               "regions":"ap-southeast-1",
               "index":"main",
               "interval":"30"
            }
         ]
      },
      "billing":{  
         "count":1,
         "details":[  
            {  
               "account":"Peter",
               "index":"main",
               "interval":"86400",
               "billing_daily_type":"2",
               "billing_montly_type":"2"
            }
         ]
      },
      "cloudwatch-logs":{  
         "count":2,
         "details":[  
            {  
               "account":"Peter",
               "regions":"ap-southeast-1",
               "index":"history",
               "interval":"600"
            },
            {  
               "account":"Peter",
               "regions":"ap-southeast-1,ap-southeast-2",
               "index":"history",
               "interval":"600"
            }
         ]
      },
      "cloudwatch":{  
         "count":2,
         "details":[  
            {  
               "account":"testaccount4",
               "regions":"cn-north-1",
               "index":"default",
               "interval":"3600",
               "metric_namespaces":"[\"AWS/Billing\", \"AWS/EBS\", \"AWS/EC2\", \"AWS/ELB\", \"AWS/S3\", \"AWS/SNS\", \"AWS/SQS\"]",
               "metric_details":"[{\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"ServiceName\": [\".*\"], \"Currency\": \".*\"}], \"metrics\": [\"EstimatedCharges\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"VolumeId\": [\".*\"]}], \"metrics\": [\"VolumeWriteOps\", \"VolumeTotalReadTime\", \"VolumeQueueLength\", \"VolumeTotalWriteTime\", \"VolumeWriteBytes\", \"VolumeIdleTime\", \"VolumeReadOps\", \"VolumeReadBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"InstanceId\": [\".*\"]}], \"metrics\": [\"NetworkOut\", \"NetworkIn\", \"CPUCreditBalance\", \"StatusCheckFailed_Instance\", \"CPUCreditUsage\", \"StatusCheckFailed_System\", \"DiskReadOps\", \"DiskWriteBytes\", \"StatusCheckFailed\", \"CPUUtilization\", \"DiskReadBytes\", \"DiskWriteOps\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"LoadBalancerName\": [\".*\"]}], \"metrics\": [\"UnHealthyHostCount\", \"HealthyHostCount\", \"BackendConnectionErrors\", \"HTTPCode_ELB_5XX\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"BucketName\": [\".*\"], \"StorageType\": [\".*\"]}], \"metrics\": [\"NumberOfObjects\", \"BucketSizeBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"TopicName\": [\".*\"]}], \"metrics\": [\"NumberOfNotificationsFailed\", \"NumberOfMessagesPublished\", \"PublishSize\", \"NumberOfNotificationsDelivered\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"QueueName\": [\".*\"]}], \"metrics\": [\"ApproximateNumberOfMessagesVisible\", \"NumberOfMessagesSent\", \"NumberOfMessagesDeleted\", \"ApproximateNumberOfMessagesNotVisible\", \"SentMessageSize\", \"ApproximateNumberOfMessagesDelayed\", \"NumberOfMessagesReceived\", \"NumberOfEmptyReceives\"]}]"
            },
            {  
               "account":"Peter",
               "regions":"eu-central-1,ap-northeast-1,eu-west-1,us-east-1,ap-southeast-1,ap-southeast-2,us-west-2,us-west-1,sa-east-1",
               "index":"default",
               "interval":"3600",
               "metric_namespaces":"[\"AWS/Billing\", \"AWS/EBS\", \"AWS/EC2\", \"AWS/ELB\", \"AWS/S3\", \"AWS/SNS\", \"AWS/SQS\"]",
               "metric_details":"[{\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"ServiceName\": [\".*\"], \"Currency\": \".*\"}], \"metrics\": [\"EstimatedCharges\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"VolumeId\": [\".*\"]}], \"metrics\": [\"VolumeIdleTime\", \"VolumeWriteBytes\", \"VolumeReadOps\", \"VolumeQueueLength\", \"VolumeReadBytes\", \"VolumeTotalWriteTime\", \"VolumeWriteOps\", \"VolumeTotalReadTime\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"InstanceId\": [\".*\"]}], \"metrics\": [\"DiskReadBytes\", \"NetworkOut\", \"StatusCheckFailed_Instance\", \"NetworkIn\", \"StatusCheckFailed\", \"StatusCheckFailed_System\", \"CPUUtilization\", \"CPUCreditBalance\", \"DiskWriteOps\", \"DiskWriteBytes\", \"DiskReadOps\", \"CPUCreditUsage\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"LoadBalancerName\": [\".*\"]}], \"metrics\": [\"UnHealthyHostCount\", \"HTTPCode_ELB_5XX\", \"HealthyHostCount\", \"BackendConnectionErrors\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"BucketName\": [\".*\"], \"StorageType\": [\".*\"]}], \"metrics\": [\"NumberOfObjects\", \"BucketSizeBytes\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"TopicName\": [\".*\"]}], \"metrics\": [\"NumberOfNotificationsFailed\", \"NumberOfMessagesPublished\", \"PublishSize\", \"NumberOfNotificationsDelivered\"]}, {\"statistics\": [\"Minimum\", \"Maximum\", \"Sum\", \"Average\"], \"dimensions\": [{\"QueueName\": [\".*\"]}], \"metrics\": [\"SentMessageSize\", \"ApproximateNumberOfMessagesNotVisible\", \"ApproximateNumberOfMessagesDelayed\", \"NumberOfMessagesDeleted\", \"NumberOfMessagesSent\", \"NumberOfMessagesReceived\", \"ApproximateNumberOfMessagesVisible\", \"NumberOfEmptyReceives\"]}]"
            }
         ]
      },
      "cloudtrail":{  
         "count":1,
         "details":[  
            {  
               "account":"Peter",
               "regions":"ap-southeast-1",
               "index":"main",
               "interval":"30"
            }
         ]
      },
      "description":{  
         "count":2,
         "details":[  
            {  
               "account":"testaccount4",
               "regions":"cn-north-1",
               "index":"default"
            },
            {  
               "account":"Peter",
               "regions":"eu-west-1,ap-southeast-1,ap-southeast-2,eu-central-1,ap-northeast-2,ap-northeast-1,us-east-1,sa-east-1,us-west-1,us-west-2",
               "index":"main"
            }
         ]
      },
      "s3":{  
         "count":1,
         "details":[  
            {  
               "account":"Peter",
               "index":"default",
               "interval":null
            }
         ]
      }
   }
}
track_usage
{  
    "usage":[  
        {  
            "time":"2016-04-30",

            "volumes": {
                "aws:cloudtrail": 0.035876275,

                "aws:cloudwatch": 2918.7095499213,

                "aws:config": 0.288619041,

                "aws:s3": 0.288619041

            }
        }
    ]
}

What data is not collected

The following kinds of data are not collected:

  • Sensitive data such as usernames or passwords
  • Identifying information such as addresses, phone numbers, IP addresses, hostnames.
  • Indexed data that you ingest into your Splunk platform instance


No data is collected that is not explicitly described in the What data is collected section above.

Last modified on 22 June, 2018
Troubleshoot the Splunk App for AWS   Saved searches for the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.0, 6.0.1, 6.0.2, 6.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters