Splunk® Supported Add-ons

Splunk Add-on for AWS

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Saved searches for the Splunk Add-on for AWS

To enable or disable a saved search, follow these steps:

  1. From the Settings menu, choose Searches, reports, and alerts.
  2. Locate the saved search by filtering the list or entering the name of the saved search in the filter field to search for it.
  3. Under the Actions column of the saved search list, select Edit > Enable/Disable to enable or disable the saved search.

Saved searches cannot be scheduled using a free license.

The "Addon Metadata - Summarize AWS Inputs" saved search is disabled by default, but you must enable this saved search in order to aggregate inputs and accounts data in the summary index.

The Splunk Add-on for AWS includes the following saved searches:

Name Search
AWS Bill - Monthly Latest Snapshot 
search = index="<your index>" eventtype=aws_billing_monthly_report [search index="<your index>"]
search = eventtype=aws_billing_monthly_report [search eventtype=aws_billing_monthly_report | dedup report_month sortby -_time | return 1000 S3KeyLastModified]
AWS Bill - Detailed Cost Latest Snapshot 
search = index=<"your index"> eventtype=aws_billing_detail_report [search index=<"your index">]
search = eventtype=aws_billing_detail_report  [search eventtype=aws_billing_detail_report RecordType=StatementTotal | dedup report_month sortby -_time | return 1000 S3KeyLastModified]
AWS Bill - Total Cost until Now 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
AWS Bill - Total Cost until Now by Service 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by ProductName
AWS Bill - Total Cost until Now by Linked Account 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal  | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by LinkedAccount
AWS Bill - Monthly Cost 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | timechart span=1mon sum(TotalCost) as TotalCost
AWS Bill - Monthly Cost by Service 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem  | timechart span=1mon sum(TotalCost) as TotalCost by ProductName limit=20
AWS Bill - Monthly Cost by Linked Account 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal | timechart span=1mon sum(TotalCost) by LinkedAccount limit=20
AWS Bill - Current Month Cost until Now 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=StatementTotal | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
AWS Bill - Current Month Cost until Now by Service 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=LinkedLineItem | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by ProductName
AWS Bill - Current Month Cost until Now by Linked Account 
search = | savedsearch "AWS Bill - Monthly Latest Snapshot" | search RecordType=AccountTotal | eval date_month=strftime(_time, "%Y-%m") | eval current_month=strftime(now(), "%Y-%m") | where date_month=current_month | stats sum(TotalCost) as TotalCost, first(CurrencyCode) as CurrencyCode by LinkedAccount
AWS Bill - Daily Cost through Last Month - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(BlendedCost) as TotalCost
AWS Bill - Daily Cost through Last Month by Service - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(BlendedCost) as TotalCost by ProductName limit=20
AWS Bill - Daily Cost through Last Month by Linked Account - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(BlendedCost) as TotalCost by LinkedAccount limit=20
AWS Bill - Total Cost through Last Month by Region - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  stats sum(BlendedCost) as TotalCost by AvailabilityZone
AWS Bill - Monthly Cost through Last Month by Region - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1mon sum(BlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Daily Cost through Last Month by Region - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(BlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Total Daytime Cost through Last Month - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour>=7 AND date_hour<=17) | stats sum(BlendedCost) as TotalCost
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
AWS Bill - Total Nighttime Cost through Last Month - Blended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour < 7 OR date_hour > 17) | stats sum(BlendedCost) as TotalCost
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
AWS Bill - Daily Cost through Last Month - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(UnBlendedCost) as TotalCost
AWS Bill - Total Cost through Last Month by Region - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  stats sum(UnBlendedCost) as TotalCost by AvailabilityZone
AWS Bill - Daily Cost through Last Month by Service - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(UnBlendedCost) as TotalCost by ProductName limit=20
AWS Bill - Daily Cost through Last Month by Linked Account - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |   timechart span=1day sum(UnBlendedCost) as TotalCost by LinkedAccount limit=20
AWS Bill - Monthly Cost through Last Month by Region - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1mon sum(UnBlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Daily Cost through Last Month by Region - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  timechart span=1day sum(UnBlendedCost) as TotalCost by AvailabilityZone limit=20
AWS Bill - Total Daytime Cost through Last Month - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour>=7 AND date_hour<=17) | stats sum(UnBlendedCost) as TotalCost
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
AWS Bill - Total Nighttime Cost through Last Month - Unblended 
search = | savedsearch "AWS Bill - Detailed Cost Latest Snapshot" | search RecordType=LineItem |  eval date_hour=strftime(_time, "%H") | search (date_hour < 7 OR date_hour > 17) | stats sum(UnBlendedCost) as TotalCost
display.general.type = statistics
display.visualizations.show = 0
request.ui_dispatch_view = search
Addon Metadata - Migrate AWS Accounts 
search = | listawsaccounts | collect `aws-account-index`
Addon Metadata - Summarize AWS Inputs 
disabled = 1
enableSched = 1
cron_schedule = 0 * * * *
dispatch.earliest_time = 0
dispatch.latest_time = now
search = | listawsinputs | collect `aws-input-index`
Last modified on 03 April, 2024
PREVIOUS
Lookups for the Splunk Add-on for AWS 		  NEXT
AWS Health Check Dashboards

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters