Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.
This documentation does not apply to the most recent version of Splunk® App for AWS (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade the Splunk App for AWS

You have to prepare your Splunk App for AWS deployment before upgrading. Follow these steps to get your deployment ready to upgrade:

  • Disable scheduled reports for saved searches for the app
  • Move indexes.conf to the local directory

See Do these things before you upgrade.

After you successfully upgrade from a previous version of the Splunk App for AWS to version 6.0.2, follow these steps:

  • Delete the $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/utils directory
  • Enable data model accelerations
  • Update the aws-data-model-acceleration search macro definition
  • Schedule the Addon Synchronization and App Upgrader saved searches.

See Do these things after you upgrade.

When you upgrade from a previous version to the 6.0.2 version of the Splunk App for AWS, be aware of the following changes:

  • Splunk Light and Splunk Cloud do not support the Recommendations Service feature and therefore does not require the Python for Scientific Computing app as a prerequisite.
  • This version of the app requires Splunk Add-on for AWS 4.5.0 or later. For more information, see For more information, see Splunk Add-on for Amazon Web Services compatibility.
  • The Topology and EC2 Insights, and Insights Overview dashboards require the use of the Python for Scientific Computing libraries to be fully functional.

Do these things before you upgrade

Follow these steps before you upgrade.

  1. Disable scheduling for these saved searches:
    • Config: Topology Monthly Snapshot Generator
    • Config: Topology History Appender
    • Config: Topology Playback Appender
    • Config: Topology Daily Snapshot Generator
    • VPC Flow Logs Summary Generator (Dest Port, Dest IP, Src IP)
    1. In Splunk Web, go to Settings > Searches, reports, and alerts.
    2. For the App, select splunk_app_aws.
    3. Click Edit and select Edit Schedule.
    4. Uncheck Schedule Report.
    5. Save the schedule and exit.
  2. Copy indexes.conf from $SPLUNK_HOME/etc/apps/splunk_app_aws/default to $SPLUNK_HOME/etc/apps/splunk_app_aws/local. If you're deploying the Splunk App for AWS in a distributed indexer cluster, copy indexes.conf from $SPLUNK_HOME/etc/master-apps/splunk_app_aws/default to $SPLUNK_HOME/etc/master-apps/splunk_app_aws/local.

Do these things after you upgrade

Follow these steps after you upgrade.

  1. Delete the $SPLUNK_HOME/etc/apps/splunk_app_aws/bin/utils directory. If you're deploying the Splunk App for AWS in a distributed indexer cluster, delete the $SPLUNK_HOME/etc/master-apps/splunk_app_aws/bin/utils directory.
  2. Enable data model accelerations. By default, data model accelerations are disabled when you upgrade the app. For more information about accelerating data models, see Accelerate data models in the Knowledge Manager Manual.
    1. In Splunk Web, go to Settings > Data Models. Enable acceleration for every data model that belongs to the Splunk App for AWS.
    2. Click Edit and select Edit Acceleration.
    3. Select Accelerate and save the data model configuration.
  3. Update the definition for the aws-data-model-acceleration search macro. This configures the search macro to search only data that has already been accelerated, speeding up searches for dashboards and reports.
    1. In Splunk Web, go to Settings > Advanced Search.
    2. Select Search macros.
    3. Select the aws-data-model-acceleration search macro.
    4. Change the definition from summariesonly=f to summariesonly=t.
    5. Save the search macro and exit.
  4. Schedule the Addon Synchronization and App Upgrader saved searches.
    1. In Splunk Web, go to Settings > Searches, reports, and alerts.
    2. To find the saved searches easier, select the Splunk App for AWS from the App selector.
    3. Run the Addon Synchronization and App Upgrader saved searches.
    4. Configure schedules for the Addon Synchronization and App Upgrader saved searches. Click Edit under the Actions column and select Edit Schedule.
    5. Enable Schedule Report.
    6. Specify a regular schedule to run each saved search. When you're done, Save and exit the saved search configuration.
  5. Run the KV store synchronization saved search if you've change the billing type on the Configure page of the app:
    1. In Splunk Web, go to Settings > Searches, reports, and alerts.
    2. Select Splunk App for AWS in the App dropdown.
    3. Search for the KVStore Synchronization saved search and click Run.
    4. After the search runs, check for the following message: "Update of KV Store billingReportType_kvstore complete!!"

Change the AWS Cost and Usage Report time interval from hourly to daily

Version 6.0.0 introduced the ability to collect AWS Cost and Usage Report (CUR) at an hourly or daily collection interval. Follow these steps to switch to a daily collection interval.

  1. Disable data collection for the hourly CUR in the Splunk Add-on for Amazon Web Services.
  2. Configure data collection for a daily CUR in the Splunk Add-on for Amazon Web Services.
  3. Update the Splunk App for AWS to version 6.0.1.

Use Python 3 with Splunk Enterprise

On January 1, 2020, the Python Software Foundation will no longer support Python version 2.x. Existing Python packages and tools will end support for Python 2, and new Python packages won't support Python 2. To maintain compatibility with the many third party projects that use Python, Splunk will migrate Splunk Enterprise, supported Premium Solutions, and supported Splunkbase apps and add-ons to Python 3.7 compatibility.

Splunk Enterprise version 8.0.0 supports the migration from Python 2 to Python 3 by including both the Python 2.7 and Python 3.7 runtimes. Splunk will remove the Python 2.7 runtime altogether in a future release. For more information about the Python 3 migration, see Python 3 migration with the Splunk platform.

To use Python 3, upgrade the Splunk App for AWS to version 6.0.1 before upgrading to Splunk Enterprise version 8.0.0 and enabling Python 3.

Last modified on 07 January, 2021
Use a custom index for storing AWS accounts and inputs data   Troubleshoot the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 6.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters