Troubleshoot the Splunk App for AWS Security Dashboards
This topic describes ways to resolve common problems that you may encounter while using the Splunk App for AWS Security Dashboards.
Isolate the component with the problem
The Splunk App for AWS Security Dashboards relies on the Splunk Add-on for Amazon Web Services for input collection and knowledge management. When troubleshooting, determine whether the issue you are experiencing is relevant to the app or to the add-on.
In general, if your AWS data is successfully reaching your Splunk indexes, the issue is with the app. If data is not reaching your Splunk indexes, then you should check for configuration problems with the accounts and inputs handled by the Splunk Add-on for Amazon Web Services.
See Troubleshoot the Splunk Add-on for AWS for troubleshooting specific to the add-on.
Dashboards don't show data from custom indexes
If you configure inputs using custom indexes, macros that support dashboard performance must be updated to include the custom indexes. By default, the Splunk App for AWS Security Dashboards runs a saved search called AWS Security Addon Synchronization every hour that automatically updates the macros to include custom indexes you specified when configuring inputs.
You can also manually run the AWS Security Addon Synchronization saved search to immediately update the macros.
See Saved searches for the Splunk App for AWS Security Dashboards for more information.
Alternatively, you can update your local/macros.conf
file to specify which indexes the app dashboards should search.
See Macros for the Splunk App for Security Dashboards for more information.
S3 input performance issues
You can configure multiple S3 inputs for a single S3 bucket to improve performance. The Splunk platform dedicates one process for each data input, so provided that your system has sufficient processing power, performance will improve with multiple inputs.
Be sure that multiple inputs do not collect the same S3 folder and file data, to prevent indexing duplicate data.
S3 dashboard saved searches terminate unexpectedly
Some saved searches powering S3 dashboards (Data Events and Traffic Analysis) terminate unexpectedly due to insufficient memory caused by too many concurrent searches. To resolve this issue, consider the following:
- Increase RAM on the indexer for better performance
- If the indexer runs Linux, increase the swap size on the indexer (more cost-efficient)
Migrate from Splunk App for AWS to Splunk App for AWS Security Dashboards | Saved searches for the Splunk App for AWS Security Dashboards |
This documentation applies to the following versions of Splunk® App for AWS Security Dashboards: 1.1.1, 1.1.2
Feedback submitted, thanks!