Splunk® Light

Installation Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkLight. Click here for the latest version.
Download topic as PDF

Get started with Splunk App for AWS

The Splunk App for AWS provides end-to-end security, operational and cost management insights for your AWS environment, including:

  • A pre-built knowledge base of dashboards, reports, and alerts that deliver real-time visibility into your environment.
  • Easy-to-configure data inputs for your AWS Config, Config Rules, CloudWatch, CloudTrail, Billing, S3, VPC Flow Log, Inspector, and Metadata inputs.
  • A logical topology dashboard that displays your entire AWS infrastructure.


Follow the steps below to configure an AWS account with the Splunk App for AWS, and see the image which displays the workflow.

AWS Workflow R2.png

Step 1: Planning and prerequisites

Review the following before starting the installation and configuration of your AWS account and the Splunk App for AWS.

AWS planning and prerequisites
Admin role permissions are required.
More than one AWS account can be installed.
Know your AWS Account Access Key ID and AWS Account Secret Access Key.
Consider your Amazon Machine Image (AMI) disk space availability and retention.
  • For best performance, consider adding Amazon Elastic Block Store (Amazon EBS) which provides network-attached storage (NAS) for use with your EC2 instances.
  • After you create, attach, and mount an Amazon EBS volume to your instance, you can use it just as you would use a physical hard drive on your computer. Each volume can be attached to only one EC2 instance, but you can detach an Amazon EBS volume from one EC2 instance and attach it to another.
  • You can attach multiple Amazon EBS volumes to an EC2 instance, and you can also stripe your data across multiple volumes.
  • You can back up the data on your Amazon EBS volumes by creating snapshots, which are stored in Amazon S3. You can create a new Amazon EBS volume from a snapshot and then attach it to an EC2 instance.
  • For more information about Amazon EBS Volumes, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html.
For the AWS General Reference, see http://docs.aws.amazon.com/general/latest/gr/Welcome.html.
Splunk Light planning and prerequisites
Splunk Light 6.5.1 and later. Versions include:
  • Splunk Light AMI, obtained through the Amazon Web Services Marketplace for Splunk products. The Splunk Light AMI version comes pre-installed with the Splunk App for AWS and Splunk Add-on for Amazon Web Services.
  • Splunk Light on-premises and cloud versions, available from Splunk.com. Access the Splunk App for AWS and Splunk Add-on for Amazon Web Services through the Apps and Add-on page in Splunk Light.
Splunk App for AWS 5.0 and later, installed
  • For Splunk Light AMI version, the Splunk App for AWS is pre-installed.
  • For Splunk Light on-premises and cloud versions, the Splunk App for AWS is available from the Apps and Add-on page.
Splunk Add-on for Amazon Web Services 4.1.2 and later, installed (required for Splunk App for AWS functionality).
  • For Splunk Light AMI version, the Splunk Add-on for Amazon Web Services is pre-installed.
  • For Splunk Light on-premises and cloud versions, the Splunk Add-on for Amazon Web Services is available from the Apps and Add-on page.

Step 2: In your AWS account, configure services and permissions

In your AWS account, configure services and permissions to allow the Splunk App for AWS to access your AWS data.

1. Configure AWS services.
a. In order for the Splunk App for AWS to collect data from your AWS account, you must first enable or configure the services that produce the data (AWS Config, CloudTrail, and so on). Splunk recommends that you enable all AWS services, otherwise some of the dashboards in the Splunk App for AWS will not fully populate.
b. For more for information about how to configure AWS services, see Configure your AWS services for the Splunk App for AWS
2. Configure AWS permissions and policies.
a. In order for the Splunk App for AWS to access the data in your AWS account, you must assign one or more AWS accounts to an IAM role with the permissions required by those services. You can use the AWS Policy Generator tool to collect all permissions into one centrally managed policy, which you can then apply to the IAM group used by the account(s) that the Splunk App for AWS uses to connect to your AWS environment.
b. For an example policy that contains all permissions for all inputs, and for more information about configuring permissions for AWS services, see Configure your AWS permissions for the Splunk App for AWS.

Step 3: In Splunk Light, install the App and Add-on

If you have a Splunk Light AMI instance, skip this step as the Splunk App for AWS is the default application in Splunk Light. The Splunk App for AWS and the Splunk Add-on for Amazon Web Services are pre-installed.

If you have a Splunk Light on-premises or cloud instance, install the following.

1. Install the Splunk Add-on for Amazon Web Services.
a. In Splunk Light, go to the sidebar menu and select Data > Apps and Add-ons.
b. Find the Splunk Add-on for Amazon Web Services and click Install.
c. Enter your Splunk username and password.
d. Select that you have read the terms and conditions of the license agreement.
e. Click Login and install.
f. Restart Splunk.
2. Install the Splunk App for AWS.
a. In Splunk Light, go to the sidebar menu and select Data > Apps and Add-ons.
b. Find the Splunk App for AWS and click Install.
c. Enter your Splunk username and password.
d. Select that you have read the terms and conditions of the license agreement.
e. Click Login and install.
f. Restart Splunk.

Step 4: In Splunk Light, add your AWS account and configure data sources

In your Splunk Light instance, add at least one AWS account to use for data collection, and configure your data sources (inputs) to get your AWS data into Splunk Light. You will need your AWS Account Access Key ID and AWS Secret Access Key. Splunk suggests you configure all the data sources listed to populate all dashboards. Each data source has instructions in the user dialog about how to add and configure the input.

1. Add your AWS account to your Splunk Light instance.
a. In Splunk Light, go to the App for AWS page and click Configure.
b. Under Accounts, click Add AWS Account.
c. Enter a friendly name.
d. Add your AWS Account Access Key ID.
e. Add your AWS Secret Access Key.
f. Click Add.
2. Configure data sources.
a. Click Set up for the data source.
b. Follow the instructions at the top of the dialog to configure the input.
See the Learn more link within the dialog, or Inputs overview for the Splunk App for AWS for information about specific data sources.

Step 5: Work with dashboards, alerts, and reports

See the following for information about the tools available in the Splunk App for AWS to analyze your AWS data.

Last modified on 14 March, 2019
PREVIOUS
About the Splunk Light AMI 		 

This documentation applies to the following versions of Splunk® Light: 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters