Splunk® App for AWS Security Dashboards

Installation and Configuration Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk App for AWS Security Dashboards

This topic describes ways to resolve common problems that you may encounter while using the Splunk App for AWS Security Dashboards.

Isolate the component with the problem

The Splunk App for AWS Security Dashboards relies on the Splunk Add-on for Amazon Web Services for input collection and knowledge management. When troubleshooting, determine whether the issue you are experiencing is relevant to the app or to the add-on.

In general, if your AWS data is successfully reaching your Splunk indexes, the issue is with the app. If data is not reaching your Splunk indexes, then you should check for configuration problems with the accounts and inputs handled by the Splunk Add-on for Amazon Web Services.

See Troubleshoot the Splunk Add-on for AWS for troubleshooting specific to the add-on.

Dashboards don't show data from custom indexes

If you configure inputs using custom indexes, macros that support dashboard performance must be updated to include the custom indexes. By default, the Splunk App for AWS Security Dashboards runs a saved search called AWS Security Addon Synchronization every hour that automatically updates the macros to include custom indexes you specified when configuring inputs.

You can also manually run the AWS Security Addon Synchronization saved search to immediately update the macros.

See Saved searches for the Splunk App for AWS Security Dashboards for more information.

Alternatively, you can update your local/macros.conf file to specify which indexes the app dashboards should search.

See Macros for the Splunk App for Security Dashboards for more information.

S3 input performance issues

You can configure multiple S3 inputs for a single S3 bucket to improve performance. The Splunk platform dedicates one process for each data input, so provided that your system has sufficient processing power, performance will improve with multiple inputs.

Be sure that multiple inputs do not collect the same S3 folder and file data, to prevent indexing duplicate data.

S3 dashboard saved searches terminate unexpectedly

Some saved searches powering S3 dashboards (Data Events and Traffic Analysis) terminate unexpectedly due to insufficient memory caused by too many concurrent searches. To resolve this issue, consider the following:

  • Increase RAM on the indexer for better performance
  • If the indexer runs Linux, increase the swap size on the indexer (more cost-efficient)
Last modified on 01 March, 2022
PREVIOUS
Migrate from Splunk App for AWS to Splunk App for AWS Security Dashboards 		  NEXT
Saved searches for the Splunk App for AWS Security Dashboards

This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.0.0, 1.1.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters