Splunk® Enterprise

Add AWS Billing data: Distributed deployment with indexer clustering

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure Billing inputs for the Splunk Add-on for AWS

Configure Billing inputs to collect Billing data (source type: aws:billing).

Configure a Billing input on the data collection node using one of the following ways:

  • Configure a Billing input using Splunk Web (recommended)
  • Configure a Billing input using configuration file

If you want to collect both a Monthly report and a Detailed report, you should configure two billing inputs: one for the Monthly report and another for the Detailed report. This way, you can configure the interval and the report_file_match_regex for a specific report type rather than having the values you enter there apply to both report types.


Input configuration overview

You can use the Splunk Add-on for AWS to collect data from AWS. For each supported data type, one or more input types are provided for data collection.

Follow these steps to plan and perform your AWS input configuration:

Users adding new inputs must have the admin_all_objects role enabled.

  1. Click input type to go to the input configuration details.
  2. Follow the steps described in the input configuration details to complete the configuration.

Configure a Billing input using Splunk Web

To configure inputs using Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > Billing.

Argument in configuration file Field in Splunk Web Description
AWS Input Configuration
aws_account AWS account The AWS account or EC2 IAM role the Splunk platform uses to access your Billing data. In Splunk Web, select an account from the drop-down list. In inputs.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the autodiscovered EC2 IAM role.
aws_iam_role Assume Role The IAM role to assume, see Manage IAM roles
bucket_name S3 Bucket The S3 bucket that is configured to hold billing reports.
monthly_report_type Monthly report The monthly report type that the Splunk platform collects from your AWS account. Enter one of the following values:
  • None
  • Monthly report
  • Monthly cost allocation report
detail_report_type Detailed report The detailed report type that the Splunk platform collects from your AWS account. Enter one of the following values:
  • None
  • Detailed billing report
  • Detailed billing report with resource and tags
Splunk-Related Configuration
initial_scan_datetime Start Date/Time (UTC) This add-on starts to collect data later than this time. If you leave this field empty, the default value is 90 days before the input is configured.
Note: Once the input is created, this value cannot be changed.
sourcetype Source type A source type for the events. Specify a value if you want to override the default of aws:billing. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the billing data. The default is main.
Advanced Settings
interval Interval Enter the number of seconds to wait before the Splunk platform runs the command again, or a valid cron schedule. Default is 86400 seconds (one day). Note that this interval applies differently for monthly report types and detailed report types. For monthly report types, the interval indicates how often to run the data collection for the current month's monthly report AND how often to check the previous month's monthly report's etag to determine if changes were made. If the etag does not match an already-downloaded version of the monthly report, it will download that report to get the latest data. For detailed report types, the interval indicates how often to check the previous month's detailed report etag to determine if changes were made. If the etag does not match a report already downloaded, it will download that report to get the latest data -- the present month is never collected until the month has ended.
Because AWS billing reports are usually not finalized until several days after the last day of the month, you can use the cron expression 0 0 8-31 * * to skip data collection for the first seven days of every month to avoid collecting multiple copies of not-yet-finalized reports for the just-finished month.
report_file_match_reg Regex for report selection A regular expression that the Splunk platform uses to match reports in AWS. This expression overrides values in the monthly_report_type and detail_report_type arguments. Thus, if you wish to collect both monthly and Detailed billing reports, but you want to use regex to specify the report collection period, you should configure two separate billing inputs so that the regex you specify here applies only to one of the report types that you want to collect.
Use this regex to limit the report collection to a certain time period to avoid collecting data that you do not need. This is particularly important for the first time that you enable the input. By default, the add-on collects all available reports for all previous months. If you collect Detailed reports, which are large in size, this can result in a very large amount of data collection. You may wish to limit how many months of past data that you collect. For example, you can use the expression \d+-aws-billing-detailed-line-items-201[56789]-\d+.csv.zip to collect only Detailed reports from January 2015 and later, or the expression \d+-aws-billing-detailed-line-items-with-resources-and-tags-2015-((0[4-9])|(10)|(11)|(12).csv.zip)|(\d+-aws-billing-detailed-line-items-with-resources-and-tags-201[6789]-\d+.csv.zip) to collect only the Detailed billing reports with resources and tags for April 2015 and later.
temp_folder Temp Folder Full path to a non-default folder with sufficient space for temporarily storing downloaded detailed billing report .zip files. Take into account the estimated size of uncompressed detailed billing report files, which can be much larger than that of zipped files. If you do not specify a temp folder, the add-on will use the system temp folder by default.

Configure a Billing input using configuration file

To configure inputs in inputs.conf, create a stanza using the following template and add it to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If the file or path does not exist, create it.

[aws_billing://<name>]
aws_account = <value>
aws_iam_role=<value>
interval = <value>
initial_scan_datetime = <value>
bucket_name = <value>
detail_report_type = <value>
monthly_report_type = <value>
report_file_match_reg = <value>
sourcetype = <value>
index = <value>
host_name = s3.amazonaws.com

Some of these settings have default values that can be found in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/default/inputs.conf:

[aws_billing]
bucket_name =
aws_account =
monthly_report_type = Monthly cost allocation report
detail_report_type = Detailed billing report with resources and tags
report_file_match_reg =
interval = 86400
sourcetype = aws:billing
host_name = s3.amazonaws.com

The values above correspond to the default values in Splunk Web. If you choose to copy this stanza to /local and use it as a starting point to configure your inputs.conf manually, change the stanza title from aws_billing to aws_billing://<name>.

Last modified on 10 July, 2019
PREVIOUS
Configure data collection on your Splunk Enterprise instance
  NEXT
Validate your data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters