Create indexes and schedule saved searches

When you install the Splunk App for AWS Security Dashboards, create summary indexes to report on preconfigured saved searches. The Splunk App for AWS Security Dashboards uses saved searches and search macros to generate dashboards and reports for AWS data you're collecting.

The saved searches and search macros assume certain indexes already exist.

After you create indexes, schedule these saved searches to update search macros and use AWS Security Addon Synchronization to sync the Splunk App for AWS Security Dashboards with the Splunk Add-on for Amazon Web Services.

Create indexes for the Splunk App for AWS Security Dashboards

If you are migrating from Splunk App for AWS and you already have indexes created in your environment, skip this step.

Add indexes on every indexer that stores AWS data from the Splunk Add-on for Amazon Web Services. By default, Splunk App for AWS Security Dashboards is configured to use aws_vpc_flow_logs as the summary index.

To add new indexes, see Indexes.conf in the Splunk Enterprise Admin Manual.

Create the indexes by adding these index stanzas in indexes.conf on each indexer:

[aws_vpc_flow_logs]
coldToFrozenDir = $SPLUNK_DB/aws_vpc_flow_logs/frozendb
coldPath = $SPLUNK_DB/aws_vpc_flow_logs/colddb
homePath = $SPLUNK_DB/aws_vpc_flow_logs/db
thawedPath = $SPLUNK_DB/aws_vpc_flow_logs/thaweddb

# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600

repFactor = auto

Schedule saved searches

You have to schedule the AWS Security Addon Synchronization saved search after you create summary indexes for the Splunk App for AWS Security Dashboards so the app and Splunk Add-on for Amazon Web Services work together properly. Follow these steps to run the saved searches. For more information about the saved searches, see [Saved searches for the Splunk App for AWS Security Dashboards].

1. In Splunk Web, go to Settings > Searches, reports, and alerts.
2. To find the saved searches easier, select the Splunk App for AWS Security Dashboards from the App selector.
3. Run the AWS Security Addon Synchronization saved searches.
4. Configure schedules for the AWS Security Addon Synchronization saved searches. Click Edit under the Actions column and select Edit Schedule.
5. Enable Schedule Report.
6. Specify a regular schedule to run each saved search.
7. When you're done, Save and exit the saved search configuration.

Enable data model acceleration

The acceleration of the following data models is disabled by default:

• AWS Security CloudFront Access Log
• AWS Security ELB Access Log
• AWS Security S3 Access Log

You can enable acceleration for these data models to populate the data on the dashboards packaged in the app.

Ensure that your Splunk user has the admin or the sc_admin role to perform this action.

Complete the following steps on the search head for each data model mentioned above to enable the acceleration of the defined data models:

1. In Splunk Web, go to Settings > Data Models.
2. From the App list, select Splunk App for AWS Security Dashboards to see the data models defined and used by the app.
3. Select Edit for the data model you want to enable acceleration for.
4. Select Edit Acceleration.
5. Check Accelerate.
6. Select the summary range to specify the acceleration period or keep the default selection.
7. Click Save.