Create indexes and schedule saved searches for the Splunk App for AWS
When you install the Splunk App for AWS, create summary indexes to report on preconfigured saved searches. The Splunk App for AWS uses saved searches and search macros to generate dashboards and reports for AWS data you're collecting. The saved searches and search macros assume certain indexes already exist. For a list of the indexes and information about creating them, see Create indexes for the Splunk App for AWS.
After you create indexes, schedule these saved searches to update search macros and sync the Splunk App for AWS with the Splunk Add-on for Amazon Web Services:
For information about scheduling the saved searches, see Run saved searches after creating indexes for the Splunk App for AWS.
Create indexes for the Splunk App for AWS
Add indexes on every indexer that stores AWS data from the Splunk Add-on for Amazon Web Services. By default, Splunk App for AWS is configured to use these summary indexes:
To add new indexes, see indexes.conf in the Splunk Enterprise Admin Manual.
Create the indexes by adding these index stanzas in
indexes.conf on each indexer:
[aws_topology_history] coldToFrozenDir = $SPLUNK_DB/aws_topology_history/frozendb coldPath = $SPLUNK_DB/aws_topology_history/colddb homePath = $SPLUNK_DB/aws_topology_history/db thawedPath = $SPLUNK_DB/aws_topology_history/thaweddb # frozen time is 7 days frozenTimePeriodInSecs = 604800 maxHotIdleSecs = 3600 repFactor = auto [aws_topology_daily_snapshot] coldToFrozenDir = $SPLUNK_DB/aws_topology_daily_snapshot/frozendb coldPath = $SPLUNK_DB/aws_topology_daily_snapshot/colddb homePath = $SPLUNK_DB/aws_topology_daily_snapshot/db thawedPath = $SPLUNK_DB/aws_topology_daily_snapshot/thaweddb #frozen time is about 6 months frozenTimePeriodInSecs = 15552000 maxHotIdleSecs = 3600 repFactor = auto [aws_topology_monthly_snapshot] coldToFrozenDir = $SPLUNK_DB/aws_topology_monthly_snapshot/frozendb coldPath = $SPLUNK_DB/aws_topology_monthly_snapshot/colddb homePath = $SPLUNK_DB/aws_topology_monthly_snapshot/db thawedPath = $SPLUNK_DB/aws_topology_monthly_snapshot/thaweddb # frozen time is 365 days frozenTimePeriodInSecs = 31536000 maxHotIdleSecs = 86400 repFactor = auto [aws_topology_playback] coldToFrozenDir = $SPLUNK_DB/aws_topology_playback/frozendb coldPath = $SPLUNK_DB/aws_topology_playback/colddb homePath = $SPLUNK_DB/aws_topology_playback/db thawedPath = $SPLUNK_DB/aws_topology_playback/thaweddb #frozen time is about 6 months frozenTimePeriodInSecs = 15552000 maxHotIdleSecs = 3600 repFactor = auto [aws_vpc_flow_logs] coldToFrozenDir = $SPLUNK_DB/aws_vpc_flow_logs/frozendb coldPath = $SPLUNK_DB/aws_vpc_flow_logs/colddb homePath = $SPLUNK_DB/aws_vpc_flow_logs/db thawedPath = $SPLUNK_DB/aws_vpc_flow_logs/thaweddb # frozen time is 7 days frozenTimePeriodInSecs = 604800 maxHotIdleSecs = 3600 repFactor = auto [aws_anomaly_detection] coldToFrozenDir = $SPLUNK_DB/aws_anomaly_detection/frozendb coldPath = $SPLUNK_DB/aws_anomaly_detection/colddb homePath = $SPLUNK_DB/aws_anomaly_detection/db thawedPath = $SPLUNK_DB/aws_anomaly_detection/thaweddb repFactor = auto
Schedule saved searches after creating indexes for the Splunk App for AWS
You have to schedule the
Addon Synchronization and
App Upgrader saved searches after you create summary indexes for the Splunk App for AWS so the app and Splunk Add-on for Amazon Web Services work together properly. Follow these steps to run the saved searches. For more information about the saved searches, see Saved searches for the Splunk App for AWS.
- In Splunk Web, go to Settings > Searches, reports, and alerts.
- To find the saved searches easier, select the
Splunk App for AWSfrom the App selector.
- Run the
App Upgradersaved searches.
- Configure schedules for the
App Upgradersaved searches. Click Edit under the Actions column and select Edit Schedule.
- Enable Schedule Report.
- Specify a regular schedule to run each saved search. When you're done, Save and exit the saved search configuration.
Install the Splunk App for AWS on Splunk Light
Configure dashboard warning messages and billing options
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 6.0.0, 6.0.1, 6.0.2, 6.0.3
Feedback submitted, thanks!