Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Configure alerts for the Splunk Add-on for AWS

Complete the steps to configure and use the Simple Notification Service (SNS) alerts for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. Configure AWS services for SNS alerts.
  3. Configure AWS permissions for SNS alerts. You can skip this step and configure AWS permissions at once, if you prefer. See Configure AWS permissions for all Splunk Add-on for AWS inputs at once.
  4. Create an SNS alert search.
  5. Use the alert action.

To use the search commands and alert actions included with the Splunk Add-on for AWS, you must either be an administrator or a user with the appropriate capability:

  • list_storage_passwords if you are using Splunk Enterprise 6.5.0 or higher.
  • admin_all_objects if you are using a version of Splunk Enterprise lower than 6.5.0.

This functionality is not supported in Splunk Cloud, due to security policy conflicts.

Configure AWS services for SNS alerts

If you plan to use the SQS-based S3 input, you must enable Amazon S3 bucket events to send notification messages to an SQS queue whenever the events occur. This queue cannot be first-in-first-out. For instructions on setting up S3 bucket event notifications, see the AWS documentation:
https://docs.aws.amazon.com/AmazonS3/latest/UG/SettingBucketNotifications.html
http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html

Configure AWS permissions for SNS alerts

Required permissions for Amazon SNS:

  • Publish
  • Get*
  • List*

See the following sample inline policy to configure SNS alert permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:Publish",
        "sns:Get*",
        "sns:List*"
      ],
      "Resource": "*"
    }
  ]
}

Use the awssnsalert search command

Use the search command, awssnsalert, to send alerts to AWS SNS.

The following example search demonstrates how to use this search command:

...| eval message="My Message" | eval entity="My Entity" | eval correlation_id="1234567890" | awssnsalert account=real region="ap-southeast-1" topic_name="ta-aws-sns-ingestion" publish_all=1

Use the following table to create an SNS alert search. All attributes are required:

Attribute Description
account The AWS account name configured in the add-on.
region The AWS region name.
topic_name The alert message is sent to this AWS SNS topic name.
message The message that the Splunk Add-on for AWS sends to AWS SNS.
publish_all You can set publish_all to 0 or 1. If you set publish_all=1, the add-on sends all the records in this search. If you set publish_all=0, the add-on sends only the first result to the search. The default value of this field is 0.

Use the alert action

The Splunk Add-on for AWS supports automatic incident and event creation and incident update from custom alert actions. Custom alert actions are available in Splunk Enterprise version 6.3.0 and higher.

To create a new incident or event from a custom alert action, follow these steps:

  1. In Splunk Web, navigate to the Search & Reporting app.
  2. Write a search string that you want to use to trigger incident or event creation in AWS SNS.
  3. Click Save As > Alert.
  4. Fill out the Alert form. Give your alert a unique name and indicate whether the alert is a real-time alert or a scheduled alert. See Getting started with alerts in the Alerting Manual for more information.
  5. Under Trigger Actions, click Add Actions.
  6. From the list, select AWS SNS Alert if you want the alert to create an event in AWS SNS.
  7. Enter values for all required fields, as shown in the following table:
    Field Description
    Account Required. The account name configured in Splunk Add-on for AWS.
    Region Required. The region of AWS SNS the events are sent to. Make sure the region is consistent with AWS SNS.
    Topic Name Required. The name of the topic the events are sent to. Make sure the topic name exists in AWS SNS.
    Correlation ID Optional. The ID that correlates this alert with the other events. If you leave this field empty, it uses $result.correlation_id$ by default.
    Entity Optional. The object related to the event or alert, such as host, database, or EC2 instance. If you leave this field empty, Splunk Enterprise uses $result.entity$ by default.
    Source Optional. The source of the event or alert. If you leave this field empty, Splunk Enterprise uses $result.source$ by default.
    Timestamp Optional. The time of the event occurs. If you leave this field empty, the Splunk Enterprise uses $result._time$ by default.
    Event Optional. The details of the event. If you leave this field empty, the Splunk Enterprise uses $result._raw$ by default.
    Message Required. The message that the Splunk Add-on for AWS sends to AWS SNS.
Last modified on 08 October, 2020
PREVIOUS
Configure miscellaneous inputs for the Splunk Add-on for AWS
  NEXT
Troubleshoot the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters