Splunk® Enterprise

Add AWS CloudWatch Metrics data: Distributed deployment with indexer clustering

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure CloudWatch inputs for the Splunk add-on for AWS

Configure CloudWatch inputs to collect CloudWatch data (source type: aws:cloudwatch).

As a best practice, configure separate CloudWatch inputs for each metric or set of metrics that have different minimum granularities, based on the sampling period that AWS allows for that metric. For example, CPUUtilization has a sampling period of 5 minutes, whereas Billing Estimated Charge has a sampling period of 4 hours. If you configure a granularity that is smaller than the minimum sampling period available in AWS, the input wastes API calls.

Input configuration overview

You can use the Splunk Add-on for AWS to collect data from AWS. For each supported data type, one or more input types are provided for data collection.

Follow these steps to plan and perform your AWS input configuration:

Users adding new inputs must have the admin_all_objects role enabled.

  1. Click input type to go to the input configuration details.
  2. Follow the steps described in the input configuration details to complete the configuration.

Configure a CloudWatch input using Splunk Web

To configure inputs in Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > CloudWatch.

Argument in configuration file Field in Splunk Web Description
aws_account AWS Account The AWS account or EC2 IAM role the Splunk platform uses to access your CloudWatch data. In Splunk Web, select an account from the drop-down list. In inputs.conf, enter the friendly name of one of the AWS accounts that you configured on the Configuration page or the name of the autodiscovered EC2 IAM role.
aws_iam_role Assume Role The IAM role to assume, see Manage IAM roles
aws_region AWS Regions The AWS region name or names. In Splunk Web, select one or more regions from the drop-down list. In inputs.conf, enter one or more valid AWS region IDs, comma-separated. See the AWS documentation for more information.
Click Advanced to edit Metrics Configuration.
metric_dimensions Dimensions CloudWatch metric dimensions as a JSON array, with strings as keys and regular expressions as values. Splunk Web automatically populates correctly formatted JSON to collect all metric dimensions in the namespace you have selected. If you want, you can customize the JSON to limit the collection to just the dimensions you want to collect. For example, for the SQS namespace, you can collect only the metrics for Queue Names that start with "splunk" and end with "_current" by entering [{"QueueName": ["\"splunk.*_current\\\\s\""]}].

You can set multiple dimensions in one data input. If you use a JSON array, the dimension matched by the JSON object in the array is matched. A JSON object has strings as keys and values that are either a regex or an array of regexes. The Splunk Add-on for AWS supports one JSON object per JSON array. For example, [{"key1": "regex1"}, {"key2": "regex2"}] is not supported.

A dimension is matched to the object if and only if:

  • it has the same key set to the object;
  • in the value of each key, there is one or more (in case the value is a list) elements matched by every regex in the value to the key in the JSON object.

For example, [{"key":["val.*", ".*lue"]}] will match {"key":"value"} and {"key":["value"]}, but not {"key":"value", "key2":"value2"}.
Exception: The BucketName dimension does not support wildcards or arrays with length greater than 1. Thus, when you collect metrics from the AWS/S3 namespace, configure separate CloudWatch inputs for each S3 bucket. Example: {"StorageType": ["StandardStorage"], "BucketName": ["my_favorite_bucket"]}.

metric_names Metrics CloudWatch metric names in JSON array. For example: ["CPUUtilization","DiskReadOps","StatusCheckFailed_System"]. Splunk Web automatically populates correctly formatted JSON for all metric names in the namespace you have selected. Edit the JSON to remove any metrics you do not want to collect. Collecting metrics you do not need results in unnecessary API calls.
metric_namespace Namespace The metric namespace. For example, AWS/EBS. In Splunk Web, click + Add Namespace' and 'select a namespace from the drop-down list or manually enter it. If you manually enter a custom namespace, you will need to type in all your JSON manually for the remaining fields. In inputs.conf, enter a valid namespace for the region you specified. You can only specify one metric namespace per input.
metric_expiration Metric Expiration Duration of time the discovered metrics are cached for, measured in seconds.
statistics Metric statistics The metric statistics you want to request. Choose from Average, Sum, SampleCount, Maximum, Minimum. In inputs.conf, this list must be JSON encoded. For example: ["Average","Sum","SampleCount","Maximum","Minimum"].
sourcetype Source type A source type for the events. Enter a value if you want to override the default of aws:cloudwatch. Event extraction relies on the default value of source type. If you change the default value, you must update props.conf as well.
index Index The index name where the Splunk platform puts the CloudWatch data. The default is main.
polling_interval Polling interval This field has been removed, starting in version 4.6.0 of the Splunk Add-on for AWS. Do not use.
period Period The granularity, in seconds, of the returned data points. For metrics with regular resolution, a period can be as short as 60 seconds (1 minute) and must be a multiple of 60. Note that different AWS metrics may support different minimum granularity, based on the sampling period that AWS allows for that metric. For example, CPUUtilization has a sampling period of 5 minutes, whereas Billing Estimated Charge has a sampling period of 4 hours. Do not configure a granularity that is less than the allowed sampling period for the selected metric, or the reported granularity will reflect the sampling granularity but be labeled with your configured granularity, resulting in inconsistent data.

The smaller your granularity, the more precise your metrics data becomes. Configuring a small granularity is useful when you want to do precise analysis of metrics and you are not concerned about limiting your data volume. Configure a larger granularity when a broader view is acceptable or you want to limit the amount of data you collect from AWS.

query_window_size Query Window Size Window of time used to determine how far back in time to go in order to retrieve data points, measured in number of data points.

Configure a CloudWatch input using configuration file

To configure inputs manually in inputs.conf, create a stanza using the following template and add it to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If the file or path does not exist, create it.

aws_account = <value>
aws_region = <value>
metric_namespace = <value>
metric_names = <value>
metric_dimensions = <value>
statistics = <value>
period = <value>
sourcetype = <value>
index = <value>
metric_expiration = <value>
query_window_size = <value>

Some of these settings have default values that can be found in $SPLUNK_HOME/etc/apps/Splunk_TA_aws/default/inputs.conf:

start_by_shell = false
sourcetype = aws:cloudwatch
use_metric_format = false
metric_expiration = 3600
query_window_size = 24
interval = 300

The values above correspond to the default values in Splunk Web as well as some internal values that are not exposed in Splunk Web for configuration. If you choose to copy this stanza to /local and use it as a starting point to configure your inputs.conf manually, change the stanza title from aws_cloudwatch to aws_cloudwatch://<name>.

If you would like to change the interval, please copy the aws_cloudwatch stanza to the local/inputs.conf file then set the interval value as you want. It will override the default value set in default/inputs.conf

Last modified on 10 July, 2019
Configure data collection on your Splunk Enterprise instance
Validate your data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters