Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Use SNS alert for the Splunk Add-on for AWS

To use the search commands and alert actions included with the Splunk Add-on for AWS, you must either be a Splunk administrator or a user with the appropriate capability:

  • list_storage_passwords if you are using Splunk platform 6.5.0 or later.
  • admin_all_objects if you are using an earlier version of the Splunk platform.

This functionality is not supported in Splunk Cloud, due to security policy conflicts.

Use the awssnsalert search command

The Splunk Add-on for AWS includes a search command, awssnsalert, that sends alerts to AWS SNS.

The following example search demonstrates how to use this search command:

...| eval message="My Message" | eval entity="My Entity" | eval correlation_id="1234567890" | awssnsalert account=real region="ap-southeast-1" topic_name="ta-aws-sns-ingestion" publish_all=1

Attribute Description
account Required. AWS account name configured in add-on
region Required. AWS region name
topic_name Required. The alert message is sent to this AWS SNS topic name.
message Required. The message that the Splunk Add-on for AWS sent to AWS SNS.
publish_all You can set publish_all to 0 or 1. If you set publish_all=1, it means that this add-on will send all the records in this search. If you set publish_all=0, it means that this add-on will only send the first result to this search. The default value of this field is 0.

Use the alert action

The Splunk Add-on for AWS supports automatic incident and event creation and incident update from custom alert actions. Custom alert actions are available in Splunk platform version 6.3.0 and later.

To create a new incident or event from a custom alert action:

  1. Write a search string that you want to use to trigger incident or event creation in AWS SNS.
  2. Click Save As > Alert.
  3. Fill out the Alert form. Give your alert a unique name and indicate whether the alert should be a real-time alert or a scheduled alert. See Getting started with Alerts in the Alerting Manual, part of the Splunk Enterprise documentation, for more information.
  4. Under Trigger Actions, click Add Actions.
  5. From the list, select AWS SNS Alert if you want the alert to create an event in AWS SNS.
  6. Enter values for all required fields, as shown.
    Field Example Value
    Account Required. The account name configured in Splunk Add-on for AWS.
    Region Required. The region of AWS SNS the events will be sent to. You have to make sure the region is consistent with AWS SNS.
    Topic Name Required. The name of the topic the events will be sent to. You have to make sure the topic name exists in AWS SNS.
    Correlation ID Optional. The ID that correlates this alert with the other events. If you leave this field empty, it will use $result.correlation_id$ by default.
    Entity Optional. Object related to the event or alert, such as host, database, EC2 instance. If you leave this field empty, Splunk will use $result.entity$ by default.
    Source Optional. The source of the event or alert. If you leave this field empty, the Splunk platform will use $result.source$ by default.
    Timestamp Optional. The time of the event occurs. If you leave this field empty, the Splunk platform will use $result._time$ by default.
    Event Optional. The details of the event. If you leave this field empty, the Splunk platform will use $result._raw$ by default.
    Message Required. The message that the Splunk Add-on for AWS sent to AWS SNS.
PREVIOUS
Performance reference for the Kinesis input in the Splunk Add-on for AWS
 

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters