Configure CloudWatch inputs for the Splunk add-on for AWS
Configure CloudWatch inputs to collect CloudWatch data (source type:
As a best practice, configure separate CloudWatch inputs for each metric or set of metrics that have different minimum granularities, based on the sampling period that AWS allows for that metric. For example, CPUUtilization has a sampling period of 5 minutes, whereas Billing Estimated Charge has a sampling period of 4 hours. If you configure a granularity that is smaller than the minimum sampling period available in AWS, the input wastes API calls.
Input configuration overview
You can use the Splunk Add-on for AWS to collect data from AWS. For each supported data type, one or more input types are provided for data collection.
Follow these steps to plan and perform your AWS input configuration:
Users adding new inputs must have the
admin_all_objects role enabled.
- Click input type to go to the input configuration details.
- Follow the steps described in the input configuration details to complete the configuration.
Configure a CloudWatch input using Splunk Web
To configure inputs in Splunk Web, click on Splunk Add-on for AWS in the left navigation bar on Splunk Web home, then click Create New Input > CloudWatch.
|Argument in configuration file||Field in Splunk Web||Description|
||AWS Account||The AWS account or EC2 IAM role the Splunk platform uses to access your CloudWatch data. In Splunk Web, select an account from the drop-down list. In |
||Assume Role||The IAM role to assume, see Manage IAM roles|
||AWS Regions||The AWS region name or names. In Splunk Web, select one or more regions from the drop-down list. In |
|Click Advanced to edit Metrics Configuration.|
||Dimensions||CloudWatch metric dimensions as a JSON array, with strings as keys and regular expressions as values. Splunk Web automatically populates correctly formatted JSON to collect all metric dimensions in the namespace you have selected. If you want, you can customize the JSON to limit the collection to just the dimensions you want to collect. For example, for the SQS namespace, you can collect only the metrics for Queue Names that start with "splunk" and end with "_current" by entering |
You can set multiple dimensions in one data input. If you use a JSON array, the dimension matched by the JSON object in the array is matched. A JSON object has strings as keys and values that are either a regex or an array of regexes. The Splunk Add-on for AWS supports one JSON object per JSON array. For example,
||Metrics||CloudWatch metric names in JSON array. For example: |
||Namespace||The metric namespace. For example, |
||Metric Expiration||Duration of time the discovered metrics are cached for, measured in seconds.|
||Metric statistics||The metric statistics you want to request. Choose from |
||Source type||A source type for the events. Enter a value if you want to override the default of |
||Index||The index name where the Splunk platform puts the CloudWatch data. The default is main.|
||Polling interval||This field has been removed, starting in version 4.6.0 of the Splunk Add-on for AWS. Do not use.|
||Period||The granularity, in seconds, of the returned data points. For metrics with regular resolution, a period can be as short as 60 seconds (1 minute) and must be a multiple of 60. Note that different AWS metrics may support different minimum granularity, based on the sampling period that AWS allows for that metric. For example, CPUUtilization has a sampling period of 5 minutes, whereas Billing Estimated Charge has a sampling period of 4 hours. Do not configure a granularity that is less than the allowed sampling period for the selected metric, or the reported granularity will reflect the sampling granularity but be labeled with your configured granularity, resulting in inconsistent data. |
The smaller your granularity, the more precise your metrics data becomes. Configuring a small granularity is useful when you want to do precise analysis of metrics and you are not concerned about limiting your data volume. Configure a larger granularity when a broader view is acceptable or you want to limit the amount of data you collect from AWS.
||Query Window Size||Window of time used to determine how far back in time to go in order to retrieve data points, measured in number of data points.|
Configure a CloudWatch input using configuration file
To configure inputs manually in
inputs.conf, create a stanza using the following template and add it to
$SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If the file or path does not exist, create it.
[aws_cloudwatch://<name>] aws_account = <value> aws_iam_role=<value> aws_region = <value> metric_namespace = <value> metric_names = <value> metric_dimensions = <value> statistics = <value> period = <value> sourcetype = <value> index = <value> metric_expiration = <value> query_window_size = <value>
Some of these settings have default values that can be found in
[aws_cloudwatch] start_by_shell = false sourcetype = aws:cloudwatch use_metric_format = false metric_expiration = 3600 query_window_size = 24 interval = 300
The values above correspond to the default values in Splunk Web as well as some internal values that are not exposed in Splunk Web for configuration. If you choose to copy this stanza to
/local and use it as a starting point to configure your
inputs.conf manually, change the stanza title from
If you would like to change the interval, please copy the
aws_cloudwatch stanza to the
local/inputs.conf file then set the interval value as you want. It will override the default value set in
Configure data collection on your Splunk Enterprise instance
Validate your data
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8