Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Access billing data for the Splunk Add-on for AWS

Use the billing input in the Splunk Add-on for Amazon Web Services (AWS) to collect your AWS billing reports, then extract useful information from them using pre-built reports included with this add-on. The pre-built reports are based on AWS report formats. You can use these reports as examples of how to use the Splunk platform to explore your other S3 data.

The Billing input does not collect billing reports for your AWS Marketplace charges.

Billing report types

See information about Monthly reports, Monthly cost allocation reports, Detailed billing reports, and Detailed billing reports with resources and tags.

Monthly report

The Monthly report lists AWS usage for each product dimension used by an account and its Identity Access Management (IAM) users in monthly line items. You can download this report from the Bills page of the Billing and Cost Management console.

This report takes the following file name format:

<AWS account number>-aws-billing-csv-yyyy-mm.csv

This report is small in size, so the add-on pulls the entire report once daily to get the latest snapshot.

Monthly cost allocation report

The Monthly cost allocation report contains the same data as the monthly report as well as any cost allocation tags that you create. Monthly reports have the event type aws_billing_monthly_report. You must obtain this report from the Amazon S3 bucket that you specify. Standard AWS storage rates apply.

This report takes the following file name format:

File Name Format: <AWS account number>-aws-cost-allocation-yyyy-mm.csv

This report is small in size, so the add-on pulls the entire report once daily to get the latest snapshot.

Detailed billing report

The Detailed billing report lists AWS usage for each product dimension used by an account and its IAM users in hourly line items. Detailed billing reports have the event type aws_billing_detail_report. You must obtain this report from the Amazon S3 bucket that you specify. Standard AWS storage rates apply.

This report takes the following file name format:

<AWS account number>-aws-billing-detailed-line-items-yyyy-mm.csv.zip

This report can grow very large, so the add-on collects the report only after the month has ended. The add-on continues to collect the report once per day until it is finalized by Amazon billing services.

Detailed billing report with resources and tags

The Detailed billing report with resources and tags contains the same data as the detailed billing report, but also includes any cost allocation tags you have created and ResourceIDs for the AWS resources used by your account. You must obtain this report from the Amazon S3 bucket that you specify. Standard AWS storage rates apply.

This report takes the following file name format:

<AWS account number>-aws-billing-detailed-line-items-with-resources-and-tags-yyyy-mm.csv.zip

This report can be very large, so the add-on collects the report only after the month has ended. The add-on continues to collect the report once per day until it is finalized by Amazon billing services.

Access preconfigured reports

The Splunk Add-on for AWS includes several reports based on the indexed billing report data. You can find these saved reports in Splunk Web by clicking Home > Reports and looking for items with the prefix AWS Bill - . Some of the saved searches return a table. Others return a single value, such as AWS Bill - Total Cost till Now.

The Splunk platform typically indexes multiple monthly report snapshots. To obtain the most recent monthly report snapshot, click Home > Reports and open the saved report called AWS Bill - Monthly Latest Snapshot. Or, search for it using the search string: | savedsearch "AWS Bill - Monthly Latest Snapshot"

You can obtain the most recent detailed report by clicking Home > Reports and opening the saved report called AWS Bill - Daily Cost. Or, search for it using the search string:

| savedsearch "AWS Bill - Daily Cost"

.

Searching against detailed reports can be slow due to the volume of data in the report. Accelerate the searches against detailed reports.

Report sources

These saved reports are based on AWS Billing Reports instead of the billing metric data in CloudWatch. By default, Total or Monthly reports are based on data indexed from the AWS Monthly Reports (*-aws-billing-csv-yyyy-mm.csv or *-aws-cost-allocation-yyyy-mm.csv) on the S3 bucket, while Daily reports are based on AWS Detail Reports (*-aws-billing-detailed-line-items-yyyy-mm.csv.zip or *-aws-billing-detailed-line-items-with-resources-and-tags-yyyy-mm.csv.zip).

Default index behavior

By default, reports look for data in the default index, main. If you changed the default index when you configured the data input, the reports will not work unless you include the index in the default search indexes list or change the two reports so they filter to the custom index.

To include a custom index in the default search indexes list, perform the following steps:

  1. Click Settings > Users and authentication > Access controls > Roles > [Role that uses the saved searches] > Indexes searched by default.
  2. Add the custom index to the default search indexes list.
  3. Repeat for each role that uses the saved searches.

To change the saved searches to filter to a custom index, perform the following steps:

  1. Open the saved search AWS Bill - Monthly Latest Snapshot.
  2. Add a filter to specify the index you configured. For example, index=new_index.
  3. Save your changes to the saved search.
  4. Repeat these steps for the other saved search, AWS Bill - Detailed Cost.
Last modified on 28 August, 2020
PREVIOUS
Configure permissions for all inputs for the Splunk Add-on for AWS at once
  NEXT
Lookups for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters