Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF

On August 22, 2022, the Splunk App Infrastructure will reach its end of life and Splunk will no longer maintain or develop this product.
Acrobat logo Download topic as PDF

Configure AWS data collection for Splunk App for Infrastructure

Admin privileges are required to configure data collection.

To collect data and monitor your AWS accounts, add your AWS account information to the Splunk App for Infrastructure (SAI) and collect data from your entities such as EC2, EBS, ELB, and CloudWatch logs. For more information about these AWS metrics, see:

After you add AWS data and validate new entities are connected, start monitoring your infrastructure from the Investigate tab of SAI. You can group your entities to monitor them more easily, and drill down into the Analysis Workspace to further analyze your infrastructure.


  • AWS Add-on version 5.0.0. For more information, see Splunk Add-on requirements.
  • If configuring on an on-premises instance, you need your AWS account Name, Key ID, and Secret Key.
  • If configuring on an AWS EC2 instance, you need to configure an IAM role for AWS data collection.

If you plan to collect AWS data, install these apps and add-ons on a heavy forwarder:


Step 1: Connect to your AWS account

For on-premises instances:

  1. In the SAI user interface, click the Add Data tab.
  2. In the left panel click AWS.
  3. Enter a Name to identify an AWS account.
  4. Enter the account's Key ID and Secret Key, and select a Region Category.
  5. Click Add AWS account.

For AWS EC2 instances:

  1. In the SAI user interface, click the Add Data tab.
  2. In the left panel click AWS.
  3. Attach IAM role. Click the instructions link for directions for how to attach an IAM role needed for AWS data collection, or see Configure Identity and Access Management (IAM) permissions for AWS data collection. There can be only one IAM role attached to an instance, and the user interface updates when the IAM role is detected.
  4. Click Verify IAM role attachment. A green checkmark and an identified IAM detected role display.

Step 2: Collect data from AWS

  1. Select the AWS Entity Types you want to collect data from.
  2. Select the AWS Regions that apply.
  3. If you want to collect data from CloudWatch Logs, select Yes and click Add AWS data source. When setting up CloudWatch Logs agent configuration in AWS, edit the log stream name (log_stream_name) with a unique name (instance_id) for each log group within the configuration file. This defines the log stream's identity for correlation of logs to individual instances and metric data. For example:
    file = /var/log/messages
    log_group_name = /var/log/messages
    log_stream_name = {instance_id}
    Select the region and enter the log file name. Click the Add to add more log files.
  4. Click Update AWS data source.

Step 3: Once your AWS account is added, verify your data connection

  1. When a connection is made to your AWS account(s), connected entities display.
    • If no new entities are connected after a few minutes, click Refresh.
    • When new entities are connected, click Take a look now to view your host.
Last modified on 10 July, 2020
About VMware vSphere integrations in SAI
Configure Identity and Access Management (IAM) policy for AWS data collection

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters