Configure Cost and Usage Report inputs for the Splunk Add-on for AWS
Configure Billing inputs to collect Cost and Usage Report data (source type:
Configure a Cost and Usage Report input on the data collection node using one of the following ways:
- Configure a Cost and Usage Report input using Splunk Web (recommended)
- Configure a Cost and Usage Report input using configuration file
Enable prefices so that AWS will deliver the reports into a folder (folder name will be the name of the prefix). Timestamps, report names can be used to filter results if you do not want to ingest all the reports.
After you have configured your Cost and Usage Report inputs, see Access billing data for the Splunk Add-on for AWS for more information about data collection behavior and how to access the preconfigured reports included in the add-on.
See the Cost and Usage Report section of the AWS documentation for more information on AWS-side configuration steps.
Configure a Cost and Usage Report input using Splunk Web
To configure inputs using Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > Billing > Billing (Cost and Usage Report).
|Argument in configuration file||Field in Splunk Web||Description|
|AWS Input Configuration|
||AWS account|| The AWS account or EC2 IAM role the Splunk platform uses to access your Billing data. In Splunk Web, select an account from the drop-down list. In |
||Assume Role||The IAM role to assume, see Manage IAM roles.|
||S3 Bucket||The S3 bucket that is configured to hold billing reports.|
||S3 Bucket||The region location where the S3 bucket the is configured to hold billing reports.|
||Report Prefix||Prefices used to allow AWS to deliver the reports into a specified folder.|
||Report Name Pattern||A regular expression used to filter reports by name|
||Start Date||This add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured. |
Note: Once the input is created, this value cannot be changed.
||Source type|| A source type for the events. Specify a value if you want to override the default of |
||Index||The index name where the Splunk platform puts the billing data. The default is main.|
||Interval|| Enter the number of seconds to wait before the Splunk platform runs the command again, or a valid cron schedule. Default is 86400 seconds (one day). Note that this interval applies differently for monthly report types and detailed report types. For monthly report types, the interval indicates how often to run the data collection for the current month's monthly report AND how often to check the previous month's monthly report's etag to determine if changes were made. If the etag does not match an already-downloaded version of the monthly report, it will download that report to get the latest data. For detailed report types, the interval indicates how often to check the previous month's detailed report etag to determine if changes were made. If the etag does not match a report already downloaded, it will download that report to get the latest data -- the present month is never collected until the month has ended. |
Because AWS billing reports are usually not finalized until several days after the last day of the month, you can use the cron expression
||Temp Folder||Full path to a non-default folder with sufficient space for temporarily storing downloaded detailed billing report .zip files. Take into account the estimated size of uncompressed detailed billing report files, which can be much larger than that of zipped files. If you do not specify a temp folder, the add-on will use the system temp folder by default.|
Configure a Cost and Usage Report input using configuration file
To configure inputs in
inputs.conf, create a stanza using the following template and add it to
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If the file or path does not exist, create it.
[aws_billing_cur://<name>] start_by_shell = true aws_account = <value> aws_iam_role = <value> bucket_name = <value> bucket_region = <value> report_names = <value> report_prefix = <value> start_date = <value> temp_folder = <value> host_name = s3.amazonaws.com
Some of these settings have default values that can be found in
[aws_billing_cur] start_by_shell = false aws_account = <value> aws_iam_role = <value> bucket_name = <value> bucket_region = <value> report_names = <value> report_prefix = <value> start_date = <value> temp_folder = <value>
The values above correspond to the default values in Splunk Web. If you choose to copy this stanza to
/local and use it as a starting point to configure your
inputs.conf manually, change the stanza title from
Configure Billing inputs for the Splunk Add-on for AWS
Configure Kinesis inputs for the Splunk Add-on for AWS
This documentation applies to the following versions of Splunk® Supported Add-ons: released