Splunk® Supported Add-ons

Splunk Add-on for AWS

Download manual as PDF

Download topic as PDF

Release notes for the Splunk Add-on for AWS

Version 4.6.0 of the Splunk Add-on for Amazon Web Services was released on October 3, 2018.

Compatibility

Version 4.6.0 of the Splunk Add-on for Amazon Web Services is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.5 and later
CIM 4.3 and later
Supported OS for data collection Platform independent
Vendor products Amazon Web Services CloudTrail, CloudWatch, CloudWatch Logs, Config, Config Rules, Inspector, Kinesis, S3, VPC Flow Logs, Billing services, SQS, and SNS.

New features

Version 4.6.0 of the Splunk Add-on for AWS version contains the following new and changed features:

  • CloudWatch Metrics input to enable discovery of new entities without Splunk restart
  • Metrics store support (requires a Splunk forwarder version 7.2.0 or above.)
  • Ability to detect configuration of SSL on management port
  • Line/event breaking enforcement for ELB/S3 Access Logs
  • Support for Splunk Enterprise 7.2.0

Fixed issues

Version 4.6.0 of the Splunk Add-on for Amazon Web Services fixes the following issues.

Date resolved Issue number Description
2018-08-27 ADDON-18031 Small page size causing LimitExceededException error during Kinesis ListStreams operations
2018-07-17 ADDON-18087, SII-1746 Invalid AWS credentials can be added and interacted with as valid AWS credentials
2018-06-27 ADDON-17277 Line/event breaking enforcement for ELB/S3 Access Logs

Known issues

Version 4.6.0 of the Splunk Add-on for Amazon Web Services has the following known issues.

Date filed Issue number Description
2018-08-23 ADDON-19179 UI shows error message when a CloudWatch mod input has dimensions with different query_window_size
2018-08-16 ADDON-19138 Splunk 7.1 and below outputs 'Invalid key in stanza' warning on startup about INGEST_EVAL, METRIC-SCHEMA-MEASURES, and METRIC-SCHEMA-TRANSFORMS
2018-03-28 ADDON-17571 AWS TA and *nix TA lack spec files for eventgen.conf, which causes cluster bundle validation errors, and breaks Manage Indexes page in clustered Splunk Cloud

Workaround:
Splunk Cloud customers who cannot create indexes on their own due to this bug should file a support case when they need new indexes created.
2018-02-19 ADDON-17158 The style of multi-input text box is not correct
2018-02-19 ADDON-17157 The header view of customized page is inconsistent with the default NightLight style
2018-02-13 ADDON-17132 Create/edit input page layout is broken
2018-02-13 ADDON-17135 Placeholder tooltip is missing for dropdown
2018-01-05 ADDON-16518 When kinesis and cloudwatch inputs send large volumes of data over HEC, HEC can block the ingest pipeline, which breaks non-HEC inputs.

Workaround:
Set use_hec=false in [global_settings] stanza of aws_kinesis.conf and/or aws_cloudwatch.conf
2017-09-03 ADDON-15718 Duplicate cloudfront data in description when there are more than 1 regions
2017-08-22 ADDON-15603 Users can delete an account in use.
2017-03-29 ADDON-14287 After you replace an IAM role attached to an EC2 instance, the inputs that use the old IAM role stop collecting data.
2016-12-22 ADDON-12867, ADDON-11894 S3 input: large key numbers lead to excessively large checkpoint files

Workaround:
To migrate to SQS based S3 or Incremental S3. Large number of files always leads to large size of checkpoint by the nature of Generic S3.

This will improve the checkpoint file size, however, as long as the Jira is not fixed, the checkpoint file size might still be not as little as expected.

Third-party software attributions

Version 4.6.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries.

PREVIOUS
Source types for the Splunk Add-on for AWS
  NEXT
Release history for the Splunk Add-on for AWS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Hi Shawn,
Thanks for providing feedback on this issue. I have forwarded your suggestion, as well as your workaround to our engineering team for review for future releases.

Mglauser splunk, Splunker
October 4, 2018

AWS now provides an option for VPCFlow Logs to go to S3. I have modified the props and tranforms configuration to ingest SQS S3 and ignore the header and created sourcetype modeled after the existing aws:cloudwatch:vpcflow to create a sourcetype aws:s3:vpcflow input and it works as intended. This may be beneficial to include by default on the next release for those larger enterprise customers who may centralize VPCFlows from multiple accounts into a centralized AWS logging account.
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html

ShawnWarner7
October 3, 2018

Is there any plan to add support for elbv2 API ? i.e. Application Load Balancers. It would be awesome if the description input would include it along with other stuff.

Kud360
November 2, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters