Content Pack for Amazon Web Services Dashboards and Reports

Content Pack for Amazon Web Services Dashboards and Reports

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports

Dashboards of Splunk App for AWS are packaged and available in Splunk App for Content Packs and Splunk App for AWS Security Dashboards. Based on the use cases of the dashboards, these dashboards have been packaged in the following two Apps:

Based on the primary use case that you want Splunk App for AWS to enable, you may want to use one or both of the above-mentioned Apps.

On July 15, 2022, the Splunk App for AWS reached its end of life. Splunk no longer maintains or develops this product. The functionality in this app migrated to the Content Pack for Amazon Web Services Dashboards and Reports.

If you are currently using the Splunk App for AWS, your deployment might look like the following image:

This image is a diagram of pre-migration deployment. A series of connected boxes represent the different parts of a deployment and include the Data Collection Node, Indexer, and Search Heads. Review the table that follows for more information.
Product Data collection node
(forwarder) 		Indexer Search head
Splunk Add-on for AWS
Splunk App for AWS

To review dashboards included with the Content Pack for Amazon Web Services Dashboards and Reports before you migrate, see Dashboard reference for the Content Pack for Amazon Web Services Dashboards and Reports.

Changes in Splunk Add-on for Amazon Web Services

Splunk Add-on for AWS has deprecated the usage of the aws:description source type and currently supports the use of the aws:metadata source type to get data in for versions 6.0.0 or later. For more information, see the documentation about the different source types that Splunk Add-on for AWS supports in Source types for the Splunk Add-on for AWS.

Migration steps for cloud environments

For migration on Cloud, file a ticket on the Splunk Support Portal, in the Support and Services section. Splunk Cloud TechOps will assist you with migration from Splunk App for AWS to Content Pack for AWS Dashboards and Reports.

Update configuration and access dashboards for IT Monitoring use case

If you are ingesting the AWS Metadata data in custom indexes other than the default indexes used by Splunk App for AWS, then perform the following steps after your stack is migrated from Splunk App for AWS to Splunk App for Content Packs (including the Content Pack for AWS Dashboards and Reports):

  1. Open ITE work or IT Service Intelligence
  2. Navigate to Settings > Advanced Search
  3. Click on Search macros
  4. Select AWS Dashboards and Reports from the App drop-down
  5. Search for the macro in the third column of the table in the Search bar
  6. Copy the definition with the custom indexes value
  7. Search for the macro listed in the fourth column of the table in the Search bar
  8. Update the definition with the copied custom indexes value.
Type of data ingested from Splunk Add-on for AWS
in custom indexes for versions earlier than 6.0.0 		Type of data ingested from Splunk Add-on for AWS
in custom indexes for version 6.0.0 or later 		Macro present in Splunk App for AWS Corresponding macro to be configured in
AWS Dashboards and Reports Content Pack for custom indexes 		Example value for macro
Description data Metadata data aws-description-index aws-metadata-index index = custom_index1 OR index = custom_index2

Update configuration and access dashboards for Security use case

If you are ingesting the AWS Metadata data in custom indexes other than the default indexes used by Splunk App for AWS, then perform the following steps after your stack is migrated from Splunk App for AWS to Splunk App for AWS Security Dashboards:

  1. Open Splunk App for AWS Security Dashboards
  2. Navigate to Settings > Advanced Search
  3. Click on Search macros
  4. Select AWS Dashboards and Reports from the App drop-down
  5. Search for the macro in the third column of the table in the Search bar
  6. Copy the definition with the custom indexes value
  7. Search for the macro listed in the fourth column of the table in the Search bar
  8. Update the definition with the copied custom indexes value.
Type of data ingested from Splunk Add-on for AWS
in custom indexes for versions earlier than 6.0.0 		Type of data ingested from Splunk Add-on for AWS
in custom indexes for version 6.0.0 or later 		Macro present in Splunk App for AWS Corresponding macro to be configured in
Splunk App for AWS Security Dashboards for custom indexes 		Example value for macro
Description data Metadata data aws-description-index aws-metadata-index index = custom_index1 OR index = custom_index2

After updating the definition in the procedure above, run AWS Security Addon Synchronization SavedSearch:

  1. Navigate to Settings > Searches, Reports, and Alerts
  2. Search AWS Security Addon Synchronization SavedSearch
  3. Click on Run from the Actions tab
  4. Accelerate the data models present in Splunk App for AWS Security Dashboards as per the use case.

Migration steps for on-premises standalone or distributed environments

If you're using an on-prem environment, you can perform the migration from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports yourself.

Before migration

Before migrating to Content Pack for AWS Dashboards and Reports, make sure to follow the steps below in order to make a backup of your custom configurations and lookups.

  1. Make a backup of the following directories in the splunk_app_aws package present in the $SPLUNK_HOME/etc/apps on each search head:
    1. /local directory which contains all the local configurations of the conf files
    2. /lookups directory which contains the CSV lookups
  2. Make a backup of the KV Store lookups present in the app.
    1. Identify the KV Store captain from different search heads. (Perform this step if the you are using a Search Head Cluster environment). For a Single Search Head deployment, the only search head will be KV store captain:
      $SPLUNK_HOME/bin/splunk show kvstore-status
    2. Login to the KVStore Captain search head and run the following command.
      $SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_aws_kvstore_backup -appName splunk_app_aws
    3. Identify the latest backup in $SPLUNK_HOME/var/lib/splunk/kvstorebackup and copy the splunk_app_aws_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file is required to restore the App KV Store lookup data during migration.

In Splunk App for Content Packs version 1.7.0 and later, the use of aws:description sourcetype in AWS Dashboards and Reports Content Pack is deprecated because Splunk App for Content Packs now supports the aws:metadata sourcetype. See the Deployment requirements table in "About the Content Pack for Amazon Web Services Dashboards and Reports" to ensure the correct version of the content pack, ITSI, IT Essentials Work, and the Splunk Add-on for AWS.

Migrate from Splunk App for AWS to Content Pack for AWS Dashboards and Reports

Follow the steps below to migrate from Splunk App for AWS to Content Pack for AWS Dashboards and Reports. Only perform this migration procedure after you've completed the prerequisites in the "Before migration" sub-section to back up your existing lookups and custom configurations.

  1. Perform the following steps on each search head present in your deployment to disable the Splunk App for AWS
    1. Create an app.conf file in your local directory if it is not present, then navigate to {SPLUNK_HOME}/etc/apps/splunk_app_aws/local/app.conf and edit the "state" property of "install" stanza as shown below:
      [install]
state = disabled
    2. Restart the instance:
      $SPLUNK_HOME/bin/splunk restart
  2. Install IT Service Intelligence (ITSI) or IT Essentials Work on the same search head with AWS data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
    1. Install Splunk IT Service Intelligence on a single instance
    2. Install Splunk IT Service intelligence in a distributed environment
    3. Install IT Service Intelligence in a search head cluster environment
    4. Install IT Essentials Work
  3. Install the Splunk App for Content Packs according to your type of deployment as per the deployment requirements:
    1. Install the Splunk App for Content Packs on a single on-premises environment
    2. Install the Splunk App for Content Packs on a search head cluster environment
    3. Install the Splunk App for Content Packs on a distributed environment

After you've completed the previous steps, the deployment looks like the following image:

This image is a diagram of post-migration deployment. A series of connected boxes represent the different parts of a deployment and include the Data Collection Node, Indexer, and Search Heads. Review the table that follows for more information.
Product Data collection node (forwarder) Indexer Search head
Splunk Add-on for AWS
Splunk App for AWS Disabled
ITSI or IT Essentials Work
Splunk App for Content Packs

After migration

After migration, perform the following procedure:

  1. Restore the backup of the KV Store lookup.
    1. Identify the KV Store captain from different Search Heads. (Perform this step if the you are using Search Head Cluster environment). For Single Search Head Deployment, the only search head will be KV store captain:
      $SPLUNK_HOME/bin/splunk show kvstore-status
    2. If the KV Store captain has changed, then move the KV Store backup file from old KV Store Captain to current KV Store Captain. Run the following command on the search head where KVStore backup was taken as part of the "Before migration" sub-section (Perform this step if the you are using Search Head Cluster environment):
      scp /path_of_splunk_app_aws_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
    3. Login to KV Store Search Head captain instance and update the owner of the backup tar file:
      chown splunk:splunk $SPLUNK_HOME/tmp/splunk_app_aws_kvstore_backup.tar.gz
    4. On your current KV Store captain, untar the backup tar file.
      tar -xzvf $SPLUNK_HOME/tmp/splunk_app_aws_kvstore_backup.tar.gz
    5. Rename the folder:
      mv $SPLUNK_HOME/tmp/splunk_app_aws $SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards
    6. Tar the upgraded folder name:
      tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz DA-ITSI-CP-aws-dashboards
    7. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup.
    8. Restore the backup:
      $SPLUNK_HOME/bin/splunk restore kvstore -archiveName DA-ITSI-CP-aws-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-aws-dashboards
  2. Perform the following steps on each search head present in your deployment:
    1. Move the following directories from the App package to the DA-ITSI-CP-aws-dashboards folder that was backed up before you started migration:
      1. /local directory collected from the app which contains all the local configurations of the app
      2. /lookups directory
    2. Remove the app.conf file from local directory.
    3. (Optional) Navigate to $SPLUNK_HOME/etc/apps/DA-ITSI-CP-aws-dashboards/local directory .
      1. If the datamodels.conf file is present, remove ELB_Access_Log and S3_Access_Log stanzas and their content, if present
    4. Restart the instance:
      $SPLUNK_HOME/bin/splunk restart

Install and configure Content Pack for AWS Dashboards and Reports

Dashboards present in Splunk App for AWS are installed by default in Content Pack for AWS Dashboards and Reports. Follow the steps below to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by Content Pack:

  1. Make sure that the AWS data collected using the Splunk Add-on for AWS is searchable from the search head where you installed the Splunk App for Content Packs.
  2. Follow the steps to Install and configure the Content Pack for Amazon Web Services Dashboards and Reports.

Access the dashboards in the content pack

You can now access the dashboards from the content pack:

  1. Log into your Splunk platform instance and open ITSI or IT Essentials Work.
  2. Go to Dashboards on the main navigation bar and choose Dashboards from the drop-down menu.
  3. From the list of dashboards, those with the suffix - AWS are from the Content Pack for Amazon Web Services Dashboards and Reports. Select the dashboard title to open the dashboard.

Configure the Content Pack for Amazon Web Services Dashboards and Reports in a new environment

The second option for migrating from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports is to configure the content pack in a new environment.

To configure the content pack in a new environment, create a test environment and perform these steps to set up the Content Pack for Amazon Web Services Dashboards and Reports:

  1. After installing the Splunk App for Content Packs, install the content pack in your test environment.
  2. After you complete testing the content pack in your test environment, install the content pack in your production environment.

To learn how to install the content pack, see Install and configure the Content Pack for Amazon Web Services Dashboards and Reports.

Last modified on 10 October, 2023
PREVIOUS
Install and configure the Content Pack for Amazon Web Services Dashboards and Reports 		  NEXT
Use the Content Pack for Amazon Web Services Dashboards and Reports

This documentation applies to the following versions of Content Pack for Amazon Web Services Dashboards and Reports: 1.3.1, 1.3.2, 1.4.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters