Install and configure the Content Pack for Amazon Web Services Dashboards and Reports
Perform the following high-level steps to install and configure the Content Pack for Amazon Web Services Dashboards and Reports:
- Install and configure the Splunk Add-on for Amazon Web Services.
- Install the Splunk App for Content Packs to get access to the Content Pack for Amazon Web Services Dashboards and Reports.
- Create indexes.
- Schedule saved searches.
- Enable entity searches.
- Enable data model acceleration.
- Enable AWS Elastic Compute Cloud (EC2) insight recommendation.
- (Optional) Configure dashboard billing options.
- (Optional) Create a custom index for storing AWS accounts and inputs data.
Prerequisites
- Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
- Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
Install and configure the Splunk Add-on for Amazon Web Services
This content pack depends on data from the Splunk Add-on for Amazon Web Services (AWS), which collects CloudTrail log, performance, billing, and IT and security data on Amazon Web Service products.
- Download the Splunk Add-on for AWS from Splunkbase.
- Then, install and configure the add-on. See Deploy the Splunk Add-on for AWS in the Splunk Add-on for AWS manual for more information.
The following table shows the installation locations for the content pack and add-on:
Component | Search head/cluster | Indexer/cluster | Forwarder |
---|---|---|---|
Content Pack for Amazon Web Services Dashboards and Reports | ✓ | ||
Splunk Add-on for AWS | ✓ | ✓ | ✓ |
Most configurations for the Content Pack for Amazon Web Services Dashboards and Reports are handled in the Splunk Add-on for Amazon Web Services. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for Amazon Web Services, see Installation overview for the Splunk Add-on for Amazon Web Services in the Splunk Add-on for AWS manual.
Install the Splunk App for Content Packs
The Content Pack for Amazon Web Services Dashboards and Reports is automatically available once you have installed the Splunk App for Content Packs on the search head. For steps to install the Splunk App for Content Packs, see Install the Splunk App for Content Packs.
Install the content pack from Splunk App for Content Packs
After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for AWS Dashboards and Reports:
- From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
- Select Content Library.
- Select the AWS Dashboards and Reports content pack.
- Review what's included in the content pack and click Proceed.
- Configure the content pack settings.
Setting Description Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.
For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options: - Install as new - Objects are installed and any existing identical objects in your environment remain intact.
- Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.
This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations: - Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
- Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
- Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.
By default, saved searches included in a content pack are in deactivated state.
Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP-
to indicate they came from a content pack. This option can help you locate and manage the objects post-install.Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores. - When you've completed your selections, click Install selected.
- Click Install to confirm the installation. When the installation completes, you can view all objects that were successfully installed in your environment and the status of the saved searches. A green checkmark on the tile view shows that you have installed some ITE Work or ITSI objects of the content pack. The tile also shows the current status of all the saved searches of the content pack.
Install the Python for Scientific Computing add-on for Recommendations Service
If you're running the Content Pack for Amazon Web Services Dashboards and Reports on Splunk Enterprise, the Recommendations Service feature depends on the Python for Scientific Computing (PSC) add-on version 1.2, available on Splunkbase or your in-product app browser.
Install the appropriate version for your environment on all Splunk search heads running the Content Pack for Amazon Web Services Dashboards and Reports:
- Python for Scientific Computing for Linux 64-bit version 1.2
- Python for Scientific Computing for Linux 32-bit version 1.2
- Python for Scientific Computing for Mac version 1.2
- Python for Scientific Computing for Windows 64-bit version 1.2
Splunk Cloud Platform does not support the Recommendations Service feature. If you use Splunk Cloud Platform you do not need to install the PSC add-on.
If you want to install PSC add-on version 2.0, complete the following steps in the existing version 1.2 package:
- Append
_awsapp
to the end of the package name. For example, if the package name isSplunk_SA_Scientific_Python_linux_x86_64
, rename it toSplunk_SA_Scientific_Python_linux_x86_64_awsapp
. - In the /local/ directory of the Python for Scientific Computing package, create an app.conf file.
- Open app.conf and add a
[package]
stanza with an id parameter that contains the new package name. For example:[package] id = Splunk_SA_Scientific_Python_linux_x86_64_awsapp
The Content Pack for Amazon Web Services Dashboards and Reports is not yet certified for use with version 3.x of Python for Scientific Computing (PSC).
Create indexes
After you install the Content Pack for Amazon Web Services Dashboards and Reports, create summary indexes to report on preconfigured saved searches. The Content Pack for Amazon Web Services Dashboards and Reports uses saved searches and search macros to generate dashboards and reports for AWS data you're collecting. The saved searches and search macros assume certain indexes already exist.
After you create indexes, schedule the Addon Synchronization
saved search to update search macros and sync the Content Pack for Amazon Web Services Dashboards and Reports with the Splunk Add-on for Amazon Web Services. If you prefer to do this manually, use the macros reference for a list of macros that need to be changed.
Add indexes on every indexer that stores Amazon Web Services data from the Splunk Add-on for Amazon Web Services. By default, the Content Pack for Amazon Web Services Dashboards and Reports is configured to use these summary indexes:
aws_topology_history
aws_topology_daily_snapshot
aws_topology_monthly_snapshot
aws_topology_playback
aws_vpc_flow_logs
aws_anomaly_detection
Create the indexes by adding these index stanzas in the indexes.conf file on each indexer. See indexes.conf in the Splunk Enterprise Admin Manual. See the Administer Splunk Enterprise with configuration files chapter of the Splunk Enterprise Admin Manual to learn more about platform configuration files.
[aws_topology_history] coldToFrozenDir = $SPLUNK_DB/aws_topology_history/frozendb coldPath = $SPLUNK_DB/aws_topology_history/colddb homePath = $SPLUNK_DB/aws_topology_history/db thawedPath = $SPLUNK_DB/aws_topology_history/thaweddb # frozen time is 7 days frozenTimePeriodInSecs = 604800 maxHotIdleSecs = 3600 repFactor = auto [aws_topology_daily_snapshot] coldToFrozenDir = $SPLUNK_DB/aws_topology_daily_snapshot/frozendb coldPath = $SPLUNK_DB/aws_topology_daily_snapshot/colddb homePath = $SPLUNK_DB/aws_topology_daily_snapshot/db thawedPath = $SPLUNK_DB/aws_topology_daily_snapshot/thaweddb #frozen time is about 6 months frozenTimePeriodInSecs = 15552000 maxHotIdleSecs = 3600 repFactor = auto [aws_topology_monthly_snapshot] coldToFrozenDir = $SPLUNK_DB/aws_topology_monthly_snapshot/frozendb coldPath = $SPLUNK_DB/aws_topology_monthly_snapshot/colddb homePath = $SPLUNK_DB/aws_topology_monthly_snapshot/db thawedPath = $SPLUNK_DB/aws_topology_monthly_snapshot/thaweddb # frozen time is 365 days frozenTimePeriodInSecs = 31536000 maxHotIdleSecs = 86400 repFactor = auto [aws_topology_playback] coldToFrozenDir = $SPLUNK_DB/aws_topology_playback/frozendb coldPath = $SPLUNK_DB/aws_topology_playback/colddb homePath = $SPLUNK_DB/aws_topology_playback/db thawedPath = $SPLUNK_DB/aws_topology_playback/thaweddb #frozen time is about 6 months frozenTimePeriodInSecs = 15552000 maxHotIdleSecs = 3600 repFactor = auto [aws_vpc_flow_logs] coldToFrozenDir = $SPLUNK_DB/aws_vpc_flow_logs/frozendb coldPath = $SPLUNK_DB/aws_vpc_flow_logs/colddb homePath = $SPLUNK_DB/aws_vpc_flow_logs/db thawedPath = $SPLUNK_DB/aws_vpc_flow_logs/thaweddb # frozen time is 7 days frozenTimePeriodInSecs = 604800 maxHotIdleSecs = 3600 repFactor = auto [aws_anomaly_detection] coldToFrozenDir = $SPLUNK_DB/aws_anomaly_detection/frozendb coldPath = $SPLUNK_DB/aws_anomaly_detection/colddb homePath = $SPLUNK_DB/aws_anomaly_detection/db thawedPath = $SPLUNK_DB/aws_anomaly_detection/thaweddb repFactor = auto
Schedule saved searches
You can only schedule the Addon Synchronization saved searches after you create summary indexes so the content pack and Splunk Add-on for Amazon Web Services work together properly. Follow these steps to run saved searches:
- In Splunk Web, go to the Settings menu and select Searches, reports, and alerts.
- Select AWS Dashboards and Reports (DA-ITSI-CP-aws-dashboards) in the App dropdown.
- Run the Addon Synchronization saved search.
- Configure the schedules for the Addon Synchronization saved search. Click Edit under the Actions column and select Edit Schedule.
- Enable Schedule Report.
- Specify a regular schedule to run each saved search. When you're done, click Save.
Follow these steps to disable a saved search:
- From the Settings menu and select Searches, reports, and alerts.
- Locate the saved search by filtering the list or entering the name of the saved search in the Filter field to search for it.
- In the Actions column of the saved search, select Edit and then Disable to disable the saved search.
The Addon Metadata - Summarize AWS Inputs saved search is included in the Splunk Add-on for AWS but is disabled by default. You must enable this saved search in the Content Pack for Amazon Web Services Dashboards and Reports for it to work properly. The saved search is used to aggregate inputs and accounts data in the summary index.
For more information on saved searches knowledge objects, see Saved searches.
Enable entity searches
There are four entity discovery searches included with this content pack. They are disabled by default. When you are ready to get your data in, follow these steps to enable the entity discovery searches for Amazon Web Services Dashboards and Reports.
You must have administrator rights to follow the steps below.
- In Splunk Enterprise go to Settings > Searches, reports, and alerts.
- In the Type dropdown, select All..
- In the App dropdown, select AWS Dashboards and Reports (DA-ITSI-CP-aws-dashboards)..
- In the Owner dropdown, select All..
- Select Edit > Enable for each search you want to enable. For example, if you would like to see the AWS EC2 entities in your environment, enable the
ITSI Import Objects - Import EC2 Instance Entity
saved search. ITSI Import Objects - Import EC2 Instance Entity
ITSI Import Objects - Import EBS Volume Entity
ITSI Import Objects - Import Lambda Function Entity
ITSI Import Objects - Import ELB Instance Entity
After you or Splunk support personnel install the Content Pack for Amazon Web Services Dashboards and Reports, you must log in to your search head and set up your entities as described below.
To set up the entities, perform the following steps:
- Open Apps > IT Essentials Work
- In the Configuration tab, select Data Integration
- Select Content Library
- From the Content Library dropdown, select the AWS Dashboards and Reports content pack
- Follow the instructions to finish content pack configuration including entity type installation.
When you've finished enabling the entity searches to import your entities, go to Infrastructure Overview to see your entities.
Enable data model acceleration
The acceleration of the following data models is disabled by default:
CloudFront Access Log
Detailed Billing
Detailed Billing CUR
Instance Hour
Instance Hour CUR
You can enable acceleration for these data models to populate the data on the dashboards packaged in the content pack. You must be an admin to enable data acceleration or change the acceleration period. Complete the following steps on the search head to enable the acceleration of the defined data models:
- In Splunk Web, go to Settings > Data Models.
- From the App list, select IT Service Intelligence (ITSI) or IT Essentials Work to see the data models defined and used by the content pack.
- Select Edit for the data model you want to enable acceleration for.
- Select Edit Acceleration.
- Check Accelerate.
- Select the summary range to specify the acceleration period or keep the default selection.
- Click Save.
- (Optional) To improve performance for Billing dashboards, change the aws-data-model-acceleration macro definition to
summariesonly=t
.
Enable EC2 insight recommendation
The Content Pack for Amazon Web Services Dashboards and Reports contains the required knowledge object for the EC2 insight recommendation feature. To enable the feature, follow these steps:
- In Splunk Web and go to Settings > Searches, reports, and alerts.
- Select AWS Dashboards and Reports in the app filter.
- Find the Topology History Generator saved search and click Run in the Actions column.
- Enable scheduling for Config: Topology History Appender and Config: Topology Daily Snapshot Generator saved searches.
- Run this search in Splunk Web to get recommendation results:
rest services/saas-aws/da_itsi_cp_aws_recommendation splunk_server=local
Machine learning (ML) insights are stored in recommendationResults_kvstore collection.
Configure dashboard billing options
If you want to monitor billing data, go to the the Configure AWS Billing Tags dashboard under Dashboards > Dashboards to select your billing tags. For more information about using custom tags in the Content pack for Amazon Web Services Dashboards and Reports, see Select tags for your Historical Detailed Billing and Capacity Planner dashboards.
Create a custom index for storing AWS accounts and inputs data
Most configurations for the Content Pack for Amazon Web Services Dashboards and Reports are handled in the Splunk Add-on for Amazon Web Services. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for Amazon Web Services, see Installation overview for the Splunk Add-on for Amazon Web Services in the Splunk Add-on for AWS manual.
By default, your AWS accounts and inputs data are stored in a predefined index titled summary. You can create a custom index to store the AWS accounts and inputs data that is most valuable to you. If you want to use a custom index, perform the following steps:
- Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual for information about creating an index.
- In the Splunk Add-on for Amazon Web Services, modify the aws-account-index and aws-input-index macros to include the custom index you created.
- Go to Settings > Advanced Search > Search Macros.
- Select the macro from the list.
- For the index field, replace summary with the name of the index you created.
- In the Splunk Add-on for Amazon Web Services, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
- Go to Settings > Searches, Reports, and Alerts.
- Find the Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs saved searches.
- In the Actions column, click Run for each saved search.
- In the Content Pack for Amazon Web Services Dashboards and Reports, modify the aws-account-summary and aws-sourcetype-index-summary macros to include the custom index you created.
- Go to Settings > Advanced Search > Search Macros.
- Select the macro from the list.
- For the index field, replace summary with the name of the index you created.
- In the Content Pack for Amazon Web Services Dashboards and Reports, run the Addon Synchronization saved search to sync the macros.
Next step
After you install and configure the Content Pack for Amazon Web Services Dashboards and Reports, you can start using the dashboards and visualizations in the content pack to monitor your environment. For instructions, see Use the Content Pack for Amazon Web Services Dashboards and Reports.
Release Notes for the Content Pack for Amazon Web Services Dashboards and Reports | Migrate from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Amazon Web Services Dashboards and Reports: 1.5.0
Feedback submitted, thanks!