Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Configure Description inputs for the Splunk Add-on for AWS

Configure Description inputs to collect Description data (source type: aws:description).

Configure a Description input on the data collection node using one of the following ways:

If you are using the Splunk App for AWS, note that this input is called Metadata in the app.

Configure a Description input using Splunk Web

To configure inputs in Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > Description.

Argument in configuration file Field in Splunk Web Description
account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your Description data. In Splunk Web, select an account from the drop-down list. In aws_description_tasks.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the autodiscovered EC2 IAM role.
aws_iam_role Assume Role The IAM role to assume, see Manage IAM roles.
regions AWS Regions The AWS regions for which you are collecting Description data. In Splunk Web, select one or more regions from the drop-down list. In aws_description_tasks.conf, enter one or more valid AWS region IDs, comma-separated. See the AWS documentation for more information.
apis APIs/Interval (seconds) APIs you want to collect data from, and intervals for each API, in the format of <api name>/<api interval in seconds>,<api name>/<api interval in seconds>. The default value in Splunk Web is
ec2_volumes/3600,ec2_instances/3600,ec2_reserved_instances/3600,ebs_snapshots/3600,elastic_load_balancers/3600,vpcs/3600,vpc_network_acls/3600,cloudfront_distributions/3600,vpc_subnets/3600,rds_instances/3600,ec2_key_pairs/3600,ec2_security_groups/3600
, which collects from all of the APIs supported in this release. Set your intervals to be 3600 seconds (one hour) or longer to avoid rate limiting errors.
sourcetype Source type A source type for the events. Enter aws:description.
index Index The index name where the Splunk platform puts the Description data. The default is main.

Configure a Description input using configuration file

To configure a Description input using the configuration files, create $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/aws_description_tasks.conf using the following template.

[<name>]
account = <value>
aws_iam_role=<value>
apis = <value>
index = <value>
regions = <value>
sourcetype = <value>

Here is an example stanza that collects description data from all supported APIs.

[desc:splunkapp2]
account = splunkapp2
apis = ec2_volumes/3600, ec2_instances/3600, ec2_reserved_instances/3600, ebs_snapshots/3600, classic_load_balancers/3600, application_load_balancers/3600, vpcs/3600, vpc_network_acls/3600, cloudfront_distributions/3600, vpc_subnets/3600, rds_instances/3600, ec2_key_pairs/3600, ec2_security_groups/3600, ec2_images/3600, ec2_addresses/3600, lambda_functions/3600, s3_buckets/3600, iam_users/3600
index = default
regions = us-west-2
sourcetype = aws:description
PREVIOUS
Configure CloudWatch inputs for the Splunk Add-on for AWS
  NEXT
Configure Generic S3 inputs for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

It looks like as of 4.4 (maybe 4.5?) there are new permissions required for this role surrounding IAM access (according to http://docs.splunk.com/Documentation/AddOns/released/AWS/ConfigureAWSpermissions#Configure_Description_permissions). This implies that there are now some IAM-related describe actions that are available, but no new supported APIs are listed above. Should this be updated or is there another reason for requiring these new permissions?

Drutstein
April 6, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters