Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Create indexes and schedule saved searches for the Splunk App for AWS

When you install the Splunk App for AWS, create summary indexes to report on preconfigured saved searches. The Splunk App for AWS uses saved searches and search macros to generate dashboards and reports for AWS data you're collecting. The saved searches and search macros assume certain indexes already exist. For a list of the indexes and information about creating them, see Create indexes for the Splunk App for AWS.

After you create indexes, schedule these saved searches to update search macros and sync the Splunk App for AWS with the Splunk Add-on for Amazon Web Services:

  • Addon Synchronization
  • App Upgrader

For information about scheduling the saved searches, see Run saved searches after creating indexes for the Splunk App for AWS.

Create indexes for the Splunk App for AWS

Add indexes on every indexer that stores AWS data from the Splunk Add-on for Amazon Web Services. By default, Splunk App for AWS is configured to use these summary indexes:

  • aws_topology_history
  • aws_topology_daily_snapshot
  • aws_topology_monthly_snapshot
  • aws_topology_playback
  • aws_vpc_flow_logs
  • aws_anomaly_detection

To add new indexes, see indexes.conf in the Splunk Enterprise Admin Manual.

Create the indexes by adding these index stanzas in indexes.conf on each indexer: 

[aws_topology_history]
coldToFrozenDir = $SPLUNK_DB/aws_topology_history/frozendb
coldPath = $SPLUNK_DB/aws_topology_history/colddb
homePath = $SPLUNK_DB/aws_topology_history/db
thawedPath = $SPLUNK_DB/aws_topology_history/thaweddb

# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600

repFactor = auto


[aws_topology_daily_snapshot]
coldToFrozenDir = $SPLUNK_DB/aws_topology_daily_snapshot/frozendb
coldPath = $SPLUNK_DB/aws_topology_daily_snapshot/colddb
homePath = $SPLUNK_DB/aws_topology_daily_snapshot/db
thawedPath = $SPLUNK_DB/aws_topology_daily_snapshot/thaweddb

#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600

repFactor = auto


[aws_topology_monthly_snapshot]
coldToFrozenDir = $SPLUNK_DB/aws_topology_monthly_snapshot/frozendb
coldPath = $SPLUNK_DB/aws_topology_monthly_snapshot/colddb
homePath = $SPLUNK_DB/aws_topology_monthly_snapshot/db
thawedPath = $SPLUNK_DB/aws_topology_monthly_snapshot/thaweddb

# frozen time is 365 days
frozenTimePeriodInSecs = 31536000
maxHotIdleSecs = 86400

repFactor = auto


[aws_topology_playback]
coldToFrozenDir = $SPLUNK_DB/aws_topology_playback/frozendb
coldPath = $SPLUNK_DB/aws_topology_playback/colddb
homePath = $SPLUNK_DB/aws_topology_playback/db
thawedPath = $SPLUNK_DB/aws_topology_playback/thaweddb

#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600

repFactor = auto


[aws_vpc_flow_logs]
coldToFrozenDir = $SPLUNK_DB/aws_vpc_flow_logs/frozendb
coldPath = $SPLUNK_DB/aws_vpc_flow_logs/colddb
homePath = $SPLUNK_DB/aws_vpc_flow_logs/db
thawedPath = $SPLUNK_DB/aws_vpc_flow_logs/thaweddb

# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600

repFactor = auto


[aws_anomaly_detection]
coldToFrozenDir = $SPLUNK_DB/aws_anomaly_detection/frozendb
coldPath = $SPLUNK_DB/aws_anomaly_detection/colddb
homePath = $SPLUNK_DB/aws_anomaly_detection/db
thawedPath = $SPLUNK_DB/aws_anomaly_detection/thaweddb

repFactor = auto

Schedule saved searches after creating indexes for the Splunk App for AWS

You have to schedule the Addon Synchronization and App Upgrader saved searches after you create summary indexes for the Splunk App for AWS so the app and Splunk Add-on for Amazon Web Services work together properly. Follow these steps to run the saved searches. For more information about the saved searches, see Saved searches for the Splunk App for AWS.

  1. In Splunk Web, go to Settings > Searches, reports, and alerts.
  2. To find the saved searches easier, select the Splunk App for AWS from the App selector.
  3. Run the Addon Synchronization and App Upgrader saved searches.
  4. Configure schedules for the Addon Synchronization and App Upgrader saved searches. Click Edit under the Actions column and select Edit Schedule.
  5. Enable Schedule Report.
  6. Specify a regular schedule to run each saved search. When you're done, Save and exit the saved search configuration.
Last modified on 12 November, 2019
Install the Splunk App for AWS on Splunk Light   Configure dashboard warning messages and billing options

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 6.0.0, 6.0.1, 6.0.2, 6.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters