Create an optional custom index
Most configuration for the Splunk App for AWS Security Dashboards is handled in the add-on. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for AWS, see Installation overview for the Splunk Add-on for AWS in the Splunk Add-on for AWS manual.
By default, your AWS accounts and inputs data are stored in a predefined index named "summary." If you want to use a custom index, perform the following steps:
- Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual for information about creating an index.
- In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.
- Go to Settings > Advanced Search > Search Macros.
- Select the the macro from the list.
- For the
index
field, replacesummary
with the name of the index you created.
- In the Splunk Add-on for AWS, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
- Go to Settings > searches, reports, and alerts.
- In the Actions column, click Run for each saved search.
- In the Splunk App for AWS Security Dashboards, modify the
aws-security-addon-account-index
andaws-security-addon-input-index
macros to include the custom index you created.- Go to Settings > Advanced Search > Search Macros.
- Select the macro from the list.
- For the
index
field, replacesummary
with the name of the index you created.
- In the Splunk App for AWS Security Dashboards, run the AWS Security Addon Synchronization saved search to sync the macros.
Create indexes and schedule saved searches | Migrate from Splunk App for AWS to Splunk App for AWS Security Dashboards |
This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1, 1.1.2
Feedback submitted, thanks!