Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install and configure the Content Pack for Amazon Web Services Dashboards and Reports

Perform the following high-level steps to install and configure the Content Pack for Amazon Web Services Dashboards and Reports:

  1. Install and configure the Splunk Add-on for Amazon Web Services.
  2. Install the Content Pack for Amazon Web Services Dashboards and Reports.
  3. Create indexes.
  4. Schedule saved searches.
  5. Enable data model acceleration.
  6. Enable AWS Elastic Compute Cloud (EC2) insight recommendation.
  7. (Optional) Configure dashboard billing options.
  8. (Optional) Create a custom index for storing AWS accounts and inputs data.

Prerequisites

  • Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.

Install and configure the Splunk Add-on for Amazon Web Services

This content pack depends on data from the Splunk Add-on for Amazon Web Services (AWS), which collects CloudTrail log, performance, billing, and IT and security data on Amazon Web Service products.

  1. Download the Splunk Add-on for AWS from Splunkbase.
  2. Then, install and configure the add-on. See Deploy the Splunk Add-on for AWS in the Splunk Add-on for AWS manual for more information.
Component Search head/cluster Indexer/cluster Forwarder
Content Pack for Amazon Web Services Dashboards and Reports
Splunk Add-on for AWS

Most configurations for the Content Pack for Amazon Web Services Dashboards and Reports are handled in the Splunk Add-on for Amazon Web Services. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for Amazon Web Services, see Installation overview for the Splunk Add-on for Amazon Web Services in the Splunk Add-on for AWS manual.

Install the Content Pack for Amazon Web Services Dashboards and Reports

To install the Content Pack for Amazon Web Services Dashboards and Reports, you must install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.

The Content Pack for Amazon Web Services Dashboards and Reports contents are automatically installed and running once you install the Splunk App for Content Packs on the search head where you installed ITSI or IT Essentials Work.

Install the Python for Scientific Computing add-on for Recommendations Service

If you're running the Content Pack for Amazon Web Services Dashboards and Reports on Splunk Enterprise, the Recommendations Service feature depends on the Python for Scientific Computing (PSC) add-on version 1.2, available on Splunkbase or your in-product app browser.

Install the appropriate version for your environment on all Splunk search heads running the Content Pack for Amazon Web Services Dashboards and Reports:

Splunk Cloud Platform does not support the Recommendations Service feature, so you do not need to install the PSC add-on.

If you want to install PSC add-on version 2.0, complete the following steps in the existing version 1.2 package:

  1. Append _awsapp to the end of the package name. For example, if the package name is Splunk_SA_Scientific_Python_linux_x86_64, rename it to Splunk_SA_Scientific_Python_linux_x86_64_awsapp.
  2. In the /local/ directory of the Python for Scientific Computing package, create an app.conf file.
  3. Open app.conf and add a [package] stanza with an id parameter that contains the new package name. For example:
    [package]
    id = Splunk_SA_Scientific_Python_linux_x86_64_awsapp
    

Create indexes

After you install the Content Pack for Amazon Web Services Dashboards and Reports, create summary indexes to report on preconfigured saved searches. The Content Pack for Amazon Web Services Dashboards and Reports uses saved searches and search macros to generate dashboards and reports for AWS data you're collecting. The saved searches and search macros assume certain indexes already exist.

After you create indexes, schedule the Addon Synchronization saved search to update search macros and sync the Content Pack for Amazon Web Services Dashboards and Reports with the Splunk Add-on for Amazon Web Services. If you prefer to do this manually, use the macros reference for a list of macros that need to be changed.

Add indexes on every indexer that stores Amazon Web Services data from the Splunk Add-on for Amazon Web Services. By default, the Content Pack for Amazon Web Services Dashboards and Reports is configured to use these summary indexes:

  • aws_topology_history
  • aws_topology_daily_snapshot
  • aws_topology_monthly_snapshot
  • aws_topology_playback
  • aws_vpc_flow_logs
  • aws_anomaly_detection

Create the indexes by adding these index stanzas in the indexes.conf file on each indexer. See indexes.conf in the Splunk Enterprise Admin Manual. See the Administer Splunk Enterprise with configuration files chapter of the Splunk Enterprise Admin Manual to learn more about platform configuration files.

[aws_topology_history]
coldToFrozenDir = $SPLUNK_DB/aws_topology_history/frozendb
coldPath = $SPLUNK_DB/aws_topology_history/colddb
homePath = $SPLUNK_DB/aws_topology_history/db
thawedPath = $SPLUNK_DB/aws_topology_history/thaweddb

# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600

repFactor = auto


[aws_topology_daily_snapshot]
coldToFrozenDir = $SPLUNK_DB/aws_topology_daily_snapshot/frozendb
coldPath = $SPLUNK_DB/aws_topology_daily_snapshot/colddb
homePath = $SPLUNK_DB/aws_topology_daily_snapshot/db
thawedPath = $SPLUNK_DB/aws_topology_daily_snapshot/thaweddb

#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600

repFactor = auto


[aws_topology_monthly_snapshot]
coldToFrozenDir = $SPLUNK_DB/aws_topology_monthly_snapshot/frozendb
coldPath = $SPLUNK_DB/aws_topology_monthly_snapshot/colddb
homePath = $SPLUNK_DB/aws_topology_monthly_snapshot/db
thawedPath = $SPLUNK_DB/aws_topology_monthly_snapshot/thaweddb

# frozen time is 365 days
frozenTimePeriodInSecs = 31536000
maxHotIdleSecs = 86400

repFactor = auto


[aws_topology_playback]
coldToFrozenDir = $SPLUNK_DB/aws_topology_playback/frozendb
coldPath = $SPLUNK_DB/aws_topology_playback/colddb
homePath = $SPLUNK_DB/aws_topology_playback/db
thawedPath = $SPLUNK_DB/aws_topology_playback/thaweddb

#frozen time is about 6 months
frozenTimePeriodInSecs = 15552000
maxHotIdleSecs = 3600

repFactor = auto


[aws_vpc_flow_logs]
coldToFrozenDir = $SPLUNK_DB/aws_vpc_flow_logs/frozendb
coldPath = $SPLUNK_DB/aws_vpc_flow_logs/colddb
homePath = $SPLUNK_DB/aws_vpc_flow_logs/db
thawedPath = $SPLUNK_DB/aws_vpc_flow_logs/thaweddb

# frozen time is 7 days
frozenTimePeriodInSecs = 604800
maxHotIdleSecs = 3600

repFactor = auto


[aws_anomaly_detection]
coldToFrozenDir = $SPLUNK_DB/aws_anomaly_detection/frozendb
coldPath = $SPLUNK_DB/aws_anomaly_detection/colddb
homePath = $SPLUNK_DB/aws_anomaly_detection/db
thawedPath = $SPLUNK_DB/aws_anomaly_detection/thaweddb

repFactor = auto

Schedule saved searches

You can only schedule the Addon Synchronization saved searches after you create summary indexes so the content pack and Splunk Add-on for Amazon Web Services work together properly. Follow these steps to run saved searches:

  1. In Splunk Web, go to the Settings menu and select Searches, reports, and alerts.
  2. Select AWS Dashboards and Reports (DA-ITSI-CP-aws-dashboards) in the App dropdown.
  3. Run the Addon Synchronization saved search.
  4. Configure the schedules for the Addon Synchronization saved search. Click Edit under the Actions column and select Edit Schedule.
  5. Enable Schedule Report.
  6. Specify a regular schedule to run each saved search. When you're done, click Save.

Follow these steps to disable a saved search:

  1. From the Settings menu and select Searches, reports, and alerts.
  2. Locate the saved search by filtering the list or entering the name of the saved search in the Filter field to search for it.
  3. In the Actions column of the saved search, select Edit and then Disable to disable the saved search.

The Addon Metadata - Summarize AWS Inputs saved search is included in the Splunk Add-on for AWS but is disabled by default. You must enable this saved search in the Content Pack for Amazon Web Services Dashboards and Reports for it to work properly. The saved search is used to aggregate inputs and accounts data in the summary index.

For more information on saved searches knowledge objects, see Saved searches.

Enable data model acceleration

The acceleration of the following data models is disabled by default. Enable acceleration for these data models to populate the data on the dashboards packaged in the content pack.

  • CloudFront Access Log
  • Detailed Billing
  • Detailed Billing CUR
  • Instance Hour
  • Instance Hour CUR

You must be an admin to enable data acceleration or change the acceleration period. Complete the following steps on the search head to enable the acceleration of the defined data models:

  1. In Splunk Web, go to Settings > Data Models.
  2. From the App list, select IT Service Intelligence (itsi) to see the data models defined and used by the content packs.
  3. Select Edit for the data model you want to enable acceleration for.
  4. Select Edit Acceleration.
  5. Check Accelerate.
  6. Select the summary range to specify the acceleration period or keep the default selection.
  7. Click Save.
  8. (Optional) To improve performance for Billing dashboards, change the aws-data-model-acceleration macro definition to summariesonly=t.

Enable EC2 insight recommendation

The Content Pack for Amazon Web Services Dashboards and Reports contains the required knowledge object for the EC2 insight recommendation feature. To enable the feature, follow these steps:

  1. Log in to Splunk Web and go to Settings > Searches, reports, and alerts.
  2. Select AWS Dashboards and Reports in the app filter.
  3. Find the Topology History Generator saved search and click Run in the Actions column.
  4. Enable scheduling for Config: Topology History Appender and Config: Topology Daily Snapshot Generator saved searches.
  5. Run this search in Splunk Web to get recommendation results:

    rest services/saas-aws/da_itsi_cp_aws_recommendation splunk_server=local

Machine learning (ML) insights are stored in recommendationResults_kvstore collection.

Configure dashboard billing options

If you want to monitor billing data, go to the the Configure AWS Billing Tags dashboard under Dashboards > Dashboards to select your billing tags. For more information about using custom tags in the Content pack for Amazon Web Services Dashboards and Reports, see Select tags for your Historical Detailed Billing and Capacity Planner dashboards.

Create a custom index for storing AWS accounts and inputs data

Most configurations for the Content Pack for Amazon Web Services Dashboards and Reports are handled in the Splunk Add-on for Amazon Web Services. For information on how to set up and manage the configuration for your AWS accounts and inputs using the Splunk Add-on for Amazon Web Services, see Installation overview for the Splunk Add-on for Amazon Web Services in the Splunk Add-on for AWS manual.

By default, your AWS accounts and inputs data are stored in a predefined index titled summary. You can create a custom index to store the AWS accounts and inputs data that is most valuable to you. If you want to use a custom index, perform the following steps:

  1. Create an index in which you want to store AWS accounts and inputs data. You must create the index on an indexer or indexer cluster, and not on a search head or heavy forwarder. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual for information about creating an index.
  2. In the Splunk Add-on for Amazon Web Services, modify the aws-account-index and aws-input-index macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  3. In the Splunk Add-on for Amazon Web Services, run these saved searches: Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs.
    1. Go to Settings > Searches, Reports, and Alerts.
    2. Find the Addon Metadata - Migrate AWS Accounts and Addon Metadata - Summarize AWS Inputs saved searches.
    3. In the Actions column, click Run for each saved search.
  4. In the Content Pack for Amazon Web Services Dashboards and Reports, modify the aws-account-summary, aws-input-summary, and aws-sourcetype-index-summary macros to include the custom index you created.
    1. Go to Settings > Advanced Search > Search Macros.
    2. Select the macro from the list.
    3. For the index field, replace summary with the name of the index you created.
  5. In the Content Pack for Amazon Web Services Dashboards and Reports, run the Addon Synchronization saved search to sync the macros.

Next step

After you install and configure the Content Pack for Amazon Web Services Dashboards and Reports, you can start using the dashboards and visualizations in the content pack to monitor your environment. For instructions, see Use the Content Pack for Amazon Web Services Dashboards and Reports.

Last modified on 28 September, 2021
PREVIOUS
Release notes for the Content Pack for Amazon Web Services Dashboards and Reports
  NEXT
Migrate from the Splunk App for AWS to the Content Pack for Amazon Web Services Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters