Knowledge objects reference for the Content Pack for Amazon Web Services Dashboards and Reports
The Content Pack for Amazon Web Services Dashboards and Reports includes knowledge objects that populate the dashboards included with the content pack.
You can configure each of the dashboards included with the content pack. Refer to the following tables to view the configurable input types by dashboard.
Saved searches
To learn how to configure saved searches see, Schedule saved searches.
The Addon Metadata - Summarize AWS Inputs saved search is included in the Splunk Add-on for AWS but is disabled by default. You must enable this saved search in the Content Pack for Amazon Web Services Dashboards and Reports for it to work properly. The saved search is used to aggregate inputs and accounts data in the summary index.
The Content Pack for Amazon Web Services Dashboards and Reports includes the following saved searches:
Name | Description | Required action |
---|---|---|
Add-on Synchronization | Synchronizes macro searches between the Splunk Add-on for AWS and the Content Pack for Amazon Web Services Dashboards and Reports. Fetches AWS account IDs from summary index and adds account IDs in a CSV lookup file, all_account_ids.csv. The Content Pack for Amazon Web Services Dashboards and Reports never deletes account IDs from the CSV lookup file. | If you use any indexes other than main, run and schedule this saved search to update the app index search macro. |
Amazon Inspector: Topology Amazon Inspector Recommendation Generator | Generates Amazon Inspector data for the Amazon Inspector & Config Rules layer on the Topology dashboard. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
AWS: calculate data volume indexed | Calculates how much data volume the app and add-on have ingested daily. | Automatically enabled. Scheduled to run once daily at twenty minutes past midnight. |
AWS Billing - Account Name Appender | Appends the data of minus one day to account_name.csv lookup file so that the dashboards display friendly names for the account IDs in your billing reports.This saved search runs automatically the first time that a user accesses any billing dashboard. If you have a large amount of data, this search can take up to a minute to fully populate the lookup file. | Manual configuration isn't required. Scheduled to run daily at midnight when the add-on synchronization executes. |
AWS Billing - Account Name Generator | Populates the account name lookup file, account_name.csv, so that the dashboards display friendly names for the account IDs in your billing reports. | Runs when add-on synchronization executes. Only needs to run once. |
AWS Config - Tags Appender | Appends the data of minus one day to account_name.csv lookup file. | Manual configuration isn't required. Scheduled to run daily at midnight when the add-on synchronization executes. |
AWS Config - Tags Generator | Extracts user tags from AWS config data. | Runs when add-on synchronization executes. Only needs to run once. |
AWS Metadata - CloudFront Edges | Generates metadata of Cloudfront Edges. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run once on a daily basis. | If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search. |
AWS Metadata - Tags | Extract user tags from metadata data. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run once daily at midnight. | If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search. |
Billing: Topology Billing Metric Generator | Generates billing data for Billing layer on the Topology dashboard. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
Billing CUR: Billing Reports AssemblyId Generator | Populates the billing_report_assemblyid_cur.csv lookup file to map the monthly AWS Cost and Usage Report to the assemblyId . Runs automatically the first time a user accesses a dashboard that contains billing data. Scheduled to run once a day.
|
If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search. |
Billing CUR: Topology Billing Metric Generator | Generates billing data from the AWS Cost and Usage Report for the Billing layer on the Topology dashboard.` | Automatically enabled. Scheduled to run every hour. If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search. |
CloudTrail Base Search | Used for report acceleration. | Accelerated search. No action required. |
CloudTrail EventName Generator | Extracts the eventnames from CloudTrail. | Automatically enabled. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
CloudTrail S3 Data Event Search | Used for report acceleration. | Accelerated search. No action required. |
CloudTrail Timechart Search | Used for report acceleration. | Accelerated search. No action required. |
CloudWatch: Topology CPU Metric Generator | Gets past day's average value for CPU Percentage from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and CPU Utilization layer. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
CloudWatch: Topology Disk IO Metric Generator | Gets past day's average value for Disk IO Operation Count from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip. | Automatically enabled. Scheduled to run every hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
CloudWatch: Topology Network Traffic Metric Generator | Gets past day's average value for Network IO Size from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and the Network Traffic layer. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
CloudWatch: Topology Volume IO Metric Generator | Gets past day's average value for Volume IO Operation Count from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
CloudWatch: Topology Volume Traffic Metric Generator | Gets past day's average value for Volume IO Size from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and the Network Traffic layer. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
Config: Topology Daily Snapshot Generator | Generates a daily snapshot of AWS topology. | Enable the scheduled report. |
Config: Topology History Appender | Appends new AWS Config data collected through the Splunk Add-on for AWS to summary index, which is used to generate the AWS topology daily snapshot. | Enable the scheduled report. |
Config: Topology History Generator | Migrates previous AWS Config data before update to the summary index, which is used to generate the AWS topology daily snapshot. | Enable the scheduled report. |
Config: Topology Monthly Snapshot Generator | Generates monthly snapshot of AWS topology. | Enable the scheduled report. |
Config Rules: Topology Config Rules Generator | Generates Config Rules data for the Amazon Inspector & Config Rules layer on the Topology dashboard. | Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search. |
Insights: ELB, Insights: EIP, Insights: EBS | Generates insights. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run every hour. | If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search. |
Machine Learning Recommendation | Runs daily to generate Recommendations on the EC2 dashboard. Automatically enabled. Scheduled to run daily at 9PM. | No action required. Do not run this search manually. |
VPC Flow Logs Summary Generator (Dest Port, Dest IP, Src IP) | Generates VPC Flow Logs data in the summary index. | Enable the scheduled report. |
Lookups
The Content Pack for Amazon Web Services Dashboards and Reports includes lookups that map data from AWS to support dashboard displays. The lookup files are located in $SPLUNK_HOME/etc/apps/DA-ITSI-CP-aws-dashboards/lookups on Unix based systems or %SPLUNK_HOME%\etc\apps\DA-ITSI-CP-aws-dashboards\lookups on Windows systems.
File name | Description |
---|---|
all_eventName.csv | Maps Identity and Access Management (IAM) event names to an alert level and Boolean value for notable event status. |
cn_price.csv | Maps instance_type to region , instance_type , region , on_demand_hourly , reserved_one_all_yearly , reserved_one_partial_yearly , reserved_one_partial_hourly
|
price.csv | Maps instance_type to region , instance_type , region , on_demand_hourly , reserved_one_all_yearly , reserved_one_partial_yearly , reserved_one_partial_hourly
|
resource_timeline_services.csv | Maps serviceID to serviceName
|
regions.csv | Maps AWS region strings to latitude and longitude calculations and friendly names. |
unauthorized_errorCode.csv | Maps four variations on unauthorized error strings to a Boolean value. |
well_known_ports.csv | Maps name to port name
|
Data models
The Content Pack for Amazon Web Services Dashboards and Reports includes the following data models to support dashboard performance:
For Detailed Billing and Detailed Billing CUR you can change the aws-data-model-acceleration macro definition to summariesonly=t
to improve billing dashboard performance.
Name | Description | Accelerated | Required action |
---|---|---|---|
CloudFront Access Log | Supports the Overview dashboard. | No | Enable acceleration. |
Detailed Billing | Supports the Historical Detailed Bills and Billing - Detailed Overview dashboards. | No | Enable acceleration. |
Detailed Billing CUR | Supports the Historical Detailed Bills CUR, Historical Monthly Bills CUR, Budget Planner CUR, and Billing - CUR Overview dashboards. | No | Enable acceleration. |
Instance Hour | Supports the Capacity Planner dashboard. | No | Enable acceleration. |
Instance Hour CUR | Supports the Capacity Planner CUR, Reserved Instance Planner CUR, Reserved Instance Planner Details CUR, and Historical Monthly Bills CUR dashboards. | No | Enable acceleration |
Macros
The Content Pack for Amazon Web Services Dashboards and Reports includes the following set of macros that support dashboard performance:
Many of these macros use the main or default index. If you use an index other than main to store your data you need to add it to the macro definition. You can schedule the Addon Synchronization saved search to update the macros automatically.
Name | Default macro definition | Required update if you manage inputs from the add-on |
---|---|---|
aws-cloudtrail-index | index="main" OR index="aws-cloudtrail"
|
If you are using any index for your CloudTrail data other than main, aws-cloudtrail, or another default index you set for your environment, add it to this definition. |
aws-config-index | index="main" OR index="aws-config"
|
If you are using any index for your AWS Config data other than main, aws-config, or another default index you set for your environment, add it to this definition. |
aws-billing-index | index="main" OR index="default"
|
If you are using any index for your Billing data other than main or another default index you set for your environment, add it to this definition. |
aws-billing-index-cur | index="main"
|
If you are using any index for your AWS Cost and Usage Report data other than the main index you set for your environment, add it to this definition. |
aws-cloudwatch-index | index="main" OR index="default"
|
If you are using any index for your CloudWatch data other than the main or another default index you set for your environment, add it to this definition. |
aws-cloudwatch-logs-index | index="main" OR index="default"
|
If you are using any indexes other than main for your CloudWatch Logs data, including any data that you collect through the add-on's Kinesis input, add it to this definition. |
aws-metadata-index | index="main" OR index="default"
|
If you are using any index for your Metadata data other than main, add it to this definition. |
aws-config-rule-index | index="main" OR index="default"
|
If you are using any index for your Config Rule data other than main, add it to this definition. |
aws-inspector-index | index="main" OR index="default"
|
If you are using any index for your Amazon Inspector data other than main, add it to this definition. |
aws-s3-index | index="main"
|
If you are using any indexes for your S3 access logs, Elastic Load Balancing (ELB) access logs, and CloudFront access logs other than main, add them to this definition. |
aws-data-model-acceleration | summariesonly=f
|
If you want to improve performance for Billing dashboards and already enabled data model acceleration, change the definition to summariesonly=t .
|
cp-aws-dashboards-awsanomalydetection-index | index="aws_anomaly_detection"
|
If you are using any index other than aws_anomaly_detection for your summary data, or have another default index you set for your environment, add it to this definition. |
cp-aws-dashboards-summary-index | index="summary"
|
If you are using any index other than summary for your summary data, or have another default index you set for your environment, add it to this definition. |
topology-daily-snapshot-index | index="aws_topology_daily_snapshot"
|
If you are using any index other than aws_topology_daily_snapshot for your summary data, or have another default index you set for your environment, add it to this definition. |
topology-history-index | index="aws_topology_history"
|
If you are using any index other than aws_topology_history for your summary data, or have another default index you set for your environment, add it to this definition. |
topology-monthly-snapshot-index | index="aws_topology_monthly_snapshot"
|
If you are using any index other than aws_topology_monthly_snapshot for your summary data, or have another default index you set for your environment, add it to this definition. |
topology-playback-index | index="aws_topology_playback"
|
If you are using any index other than aws_topology_playback for your summary data, or have another default index you set for your environment, add it to this definition. |
Dashboard reference for the Content Pack for Amazon Web Services Dashboards and Reports | Entity search reference for the Content Pack for Amazon Web Services Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Amazon Web Services Dashboards and Reports: 1.5.0, 1.5.1
Feedback submitted, thanks!