Splunk® App for AWS (Legacy)

Installation and Configuration Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Use a custom index for storing AWS accounts and inputs data

Most configuration for the app is handled in the add-on. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for AWS, see Installation overview for the Splunk Add-on for AWS in the Splunk Add-on for AWS manual.

By default, your AWS accounts and inputs data are stored in a predefined index named "summary." If you want to use a custom index, perform the following steps:

  1. Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes for information about creating an index.
  2. In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  3. In the Splunk Add-on for AWS, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
    1. Go to Settings > searches, reports, and alerts.
    2. In the Actions column, click Run for each saved search.
  4. In the Splunk App for AWS, modify the aws-account-summary, aws-input-summary, and aws-sourcetype-index-summary macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  5. In the Splunk App for AWS, run the Addon Synchronization saved search to sync the macros.
Last modified on 03 May, 2021
Configure dashboard warning messages and billing options   Upgrade the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 6.0.1, 6.0.2, 6.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters