Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Knowledge objects reference for the Content Pack for Amazon Web Services Dashboards and Reports

The Content Pack for Amazon Web Services Dashboards and Reports includes knowledge objects that populate the dashboards included with the content pack.

You can configure each of the dashboards included with the content pack. Refer to the following tables to view the configurable input types by dashboard.


Saved searches

To learn how to configure saved searches see, Schedule saved searches.

The Addon Metadata - Summarize AWS Inputs saved search is included in the Splunk Add-on for AWS but is disabled by default. You must enable this saved search in the Content Pack for Amazon Web Services Dashboards and Reports for it to work properly. The saved search is used to aggregate inputs and accounts data in the summary index.

The Content Pack for Amazon Web Services Dashboards and Reports includes the following saved searches:

Name Description Required action
Add-on Synchronization Synchronizes macro searches between the Splunk Add-on for AWS and the Content Pack for Amazon Web Services Dashboards and Reports. Fetches AWS account IDs from summary index and adds account IDs in a CSV lookup file, all_account_ids.csv. The Content Pack for Amazon Web Services Dashboards and Reports never deletes account IDs from the CSV lookup file. If you use any indexes other than main, run and schedule this saved search to update the app index search macro.
Amazon Inspector: Topology Amazon Inspector Recommendation Generator Generates Amazon Inspector data for the Amazon Inspector & Config Rules layer on the Topology dashboard. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
AWS: calculate data volume indexed Calculates how much data volume the app and add-on have ingested daily. Automatically enabled. Scheduled to run once daily at twenty minutes past midnight.
AWS Billing - Account Name Populates an account name lookup file, account_name.csv, so that the app dashboards can display friendly names for the account IDs in your billing reports.This saved search runs automatically the first time that a user accesses any billing dashboard. If you have a large amount of data, this search can take up to a minute to fully populate the lookup file. This search is not scheduled, so after it runs the first time, the lookup is not updated again. If your billing reports include additional accounts in the future, run the saved search again manually to capture the friendly names for those new accounts.
AWS Config - Tags Extract user tags from AWS config data. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search.
AWS Description - CloudFront Edges Generates metadata of Cloudfront Edges. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run once on a daily basis. If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search.
AWS Description - Tags Extract user tags from description data. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run once daily at midnight. If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search.
Billing: Topology Billing Metric Generator Generates billing data for Billing layer on the Topology dashboard. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Billing CUR: Billing Reports AssemblyId Generator Populates the billing_report_assemblyid_cur.csv lookup file to map the monthly AWS Cost and Usage Report to the assemblyId. Runs automatically the first time a user accesses a dashboard that contains billing data. Scheduled to run once a day. If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search.
Billing CUR: Topology Billing Metric Generator Generates billing data from the AWS Cost and Usage Report for the Billing layer on the Topology dashboard.` Automatically enabled. Scheduled to run every hour. If you configure inputs through the Splunk Add-on for Amazon Web Services, manually enable and schedule this saved search.
CloudTrail Base Search Used for report acceleration. Accelerated search. No action required.
CloudTrail EventName Generator Extracts the eventnames from CloudTrail. Automatically enabled. Scheduled to run every twenty minutes on the hour, twenty minutes past the hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudTrail S3 Data Event Search Used for report acceleration. Accelerated search. No action required.
CloudTrail Timechart Search Used for report acceleration. Accelerated search. No action required.
CloudWatch: Topology CPU Metric Generator Gets past day's average value for CPU Percentage from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and CPU Utilization layer. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Disk IO Metric Generator Gets past day's average value for Disk IO Operation Count from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip. Automatically enabled. Scheduled to run every hour, and forty minutes past the hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Network Traffic Metric Generator Gets past day's average value for Network IO Size from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and the Network Traffic layer. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume IO Metric Generator Gets past day's average value for Volume IO Operation Count from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
CloudWatch: Topology Volume Traffic Metric Generator Gets past day's average value for Volume IO Size from CloudWatch every hour. It is used on the topology dashboard in the KPI tooltip and the Network Traffic layer. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Config: Topology Daily Snapshot Generator Generates a daily snapshot of AWS topology. Enable the scheduled report.
Config: Topology History Appender Appends new AWS Config data collected through the Splunk Add-on for AWS to summary index, which is used to generate the AWS topology daily snapshot. Enable the scheduled report.
Config: Topology History Generator Migrates previous AWS Config data before update to the summary index, which is used to generate the AWS topology daily snapshot. Enable the scheduled report.
Config Rules: Topology Config Rules Generator Generates Config Rules data for the Amazon Inspector & Config Rules layer on the Topology dashboard. Automatically enabled. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS instead, you should manually enable and schedule this saved search.
Insights: ELB, Insights: EIP, Insights: EBS Generates insights. Automatically enabled when you configure any input through the Configure AWS Billing Tags Dashboard. Scheduled to run every hour. If you configure all your inputs through the Splunk Add-on for AWS, manually enable and schedule this saved search.
Machine Learning Recommendation Runs daily to generate Recommendations on the EC2 dashboard. Automatically enabled. Scheduled to run daily at 9PM. No action required. Do not run this search manually.
VPC Flow Logs Summary Generator (Dest Port, Dest IP, Src IP) Generates VPC Flow Logs data in the summary index. Enable the scheduled report.

Lookups

The Content Pack for Amazon Web Services Dashboards and Reports includes lookups that map data from AWS to support dashboard displays. The lookup files are located in $SPLUNK_HOME/etc/apps/DA-ITSI-CP-aws-dashboards/lookups on Unix based systems or %SPLUNK_HOME%\etc\apps\DA-ITSI-CP-aws-dashboards\lookups on Windows systems.

File name Description
all_eventName.csv Maps Identity and Access Management (IAM) event names to an alert level and Boolean value for notable event status.
cn_price.csv Maps instance_type to region, instance_type, region, on_demand_hourly, reserved_one_all_yearly, reserved_one_partial_yearly, reserved_one_partial_hourly
price.csv Maps instance_type to region, instance_type, region, on_demand_hourly, reserved_one_all_yearly, reserved_one_partial_yearly, reserved_one_partial_hourly
resource_timeline_services.csv Maps serviceID to serviceName
regions.csv Maps AWS region strings to latitude and longitude calculations and friendly names.
unauthorized_errorCode.csv Maps four variations on unauthorized error strings to a Boolean value.
well_known_ports.csv Maps name to port name

Data models

The Content Pack for Amazon Web Services Dashboards and Reports includes the following data models to support dashboard performance:

For Detailed Billing and Detailed Billing CUR you can change the aws-data-model-acceleration macro definition to summariesonly=t to improve billing dashboard performance.

Name Description Accelerated Required action
CloudFront Access Log Supports the Overview dashboard. No Enable acceleration.
Detailed Billing Supports the Historical Detailed Bills and Billing - Detailed Overview dashboards. No Enable acceleration.
Detailed Billing CUR Supports the Historical Detailed Bills CUR, Historical Monthly Bills CUR, Budget Planner CUR, and Billing - CUR Overview dashboards. No Enable acceleration.
Instance Hour Supports the Capacity Planner dashboard. No Enable acceleration.
Instance Hour CUR Supports the Capacity Planner CUR, Reserved Instance Planner CUR, Reserved Instance Planner Details CUR, and Historical Monthly Bills CUR dashboards. No Enable acceleration


Macros

The Content Pack for Amazon Web Services Dashboards and Reports includes a set of macros that support dashboard performance.

Many of these macros use the main or default index. If you use an index other than main to store your data you need to add it to the macro definition. You can schedule the Addon Synchronization saved search to update the macros automatically.

Name Default macro definition Required update if you manage inputs from the add-on
aws-cloudtrail-index (index="main" OR index="aws-cloudtrail") If you are using any index for your CloudTrail data other than main, aws-cloudtrail, or another default index you set for your environment, add it to this definition.
aws-config-index (index="main" OR index="aws-config") If you are using any index for your AWS Config data other than main, aws-config, or another default index you set for your environment, add it to this definition.
aws-billing-index (index="main" OR index="default") If you are using any index for your Billing data other than main or another default index you set for your environment, add it to this definition.
aws-billing-index-cur (index="main") If you are using any index for your AWS Cost and Usage Report data other than the main index you set for your environment, add it to this definition.
aws-cloudwatch-index (index="main" OR index="default") If you are using any index for your CloudWatch data other than the main or another default index you set for your environment, add it to this definition.
aws-cloudwatch-logs-index (index="main" OR index="default") If you are using any indexes other than main for your CloudWatch Logs data, including any data that you collect through the add-on's Kinesis input, add it to this definition.
aws-description-index (index="main" OR index="default") If you are using any index for your Description data other than main, add it to this definition.
aws-config-rule-index (index="main" OR index="default") If you are using any index for your Config Rule data other than main, add it to this definition.
aws-inspector-index (index="main" OR index="default") If you are using any index for your Amazon Inspector data other than main, add it to this definition.
aws-s3-index (index="main") If you are using any indexes for your S3 access logs, Elastic Load Balancing (ELB) access logs, and CloudFront access logs other than main, add them to this definition.
aws-data-model-acceleration summariesonly=f If you want to improve performance for Billing dashboards and already enabled data model acceleration, change the definition to summariesonly=t.
Last modified on 05 October, 2021
PREVIOUS
Dashboard reference for the Content Pack for Amazon Web Services Dashboards and Reports
  NEXT
About the Content Pack for Example Glass Tables

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters