Use SNS alert for the Splunk Add-on for AWS
To use the search commands and alert actions included with the Splunk Add-on for AWS, you must either be a Splunk administrator or a user with the appropriate capability:
list_storage_passwordsif you are using Splunk platform 6.5.0 or later.
admin_all_objectsif you are using an earlier version of the Splunk platform.
This functionality is not supported in Splunk Cloud, due to security policy conflicts.
awssnsalert search command
The Splunk Add-on for AWS includes a search command,
awssnsalert, that sends alerts to AWS SNS.
The following example search demonstrates how to use this search command:
...| eval message="My Message" | eval entity="My Entity" | eval correlation_id="1234567890" | awssnsalert account=real region="ap-southeast-1" topic_name="ta-aws-sns-ingestion" publish_all=1
||Required. AWS account name configured in add-on|
||Required. AWS region name|
||Required. The alert message is sent to this AWS SNS topic name.|
||Required. The message that the Splunk Add-on for AWS sent to AWS SNS.|
||You can set |
Use the alert action
The Splunk Add-on for AWS supports automatic incident and event creation and incident update from custom alert actions. Custom alert actions are available in Splunk platform version 6.3.0 and later.
To create a new incident or event from a custom alert action:
- Write a search string that you want to use to trigger incident or event creation in AWS SNS.
- Click Save As > Alert.
- Fill out the Alert form. Give your alert a unique name and indicate whether the alert should be a real-time alert or a scheduled alert. See Getting started with Alerts in the Alerting Manual, part of the Splunk Enterprise documentation, for more information.
- Under Trigger Actions, click Add Actions.
- From the list, select AWS SNS Alert if you want the alert to create an event in AWS SNS.
- Enter values for all required fields, as shown.
Field Example Value Account Required. The account name configured in Splunk Add-on for AWS. Region Required. The region of AWS SNS the events will be sent to. You have to make sure the region is consistent with AWS SNS. Topic Name Required. The name of the topic the events will be sent to. You have to make sure the topic name exists in AWS SNS. Correlation ID Optional. The ID that correlates this alert with the other events. If you leave this field empty, it will use $result.correlation_id$ by default. Entity Optional. Object related to the event or alert, such as host, database, EC2 instance. If you leave this field empty, Splunk will use $result.entity$ by default. Source Optional. The source of the event or alert. If you leave this field empty, the Splunk platform will use $result.source$ by default. Timestamp Optional. The time of the event occurs. If you leave this field empty, the Splunk platform will use $result._time$ by default. Event Optional. The details of the event. If you leave this field empty, the Splunk platform will use $result._raw$ by default. Message Required. The message that the Splunk Add-on for AWS sent to AWS SNS.
Performance reference for the Kinesis input in the Splunk Add-on for AWS
This documentation applies to the following versions of Splunk® Supported Add-ons: released