Splunk® App for AWS (Legacy)

User Manual

On July 15, 2022, the Splunk App for AWS will reach its end of life (EOL). After this date, Splunk will no longer maintain or develop this product. Splunk App for AWS is used for both IT monitoring and security use cases because it provides dashboards for both ITOps and security teams. The IT monitoring functionality in Splunk App for AWS is migrating to a content pack in Data Integrations called the Content Pack for Amazon Web Services Dashboards and Reports. The security use case functionality in Splunk App for AWS is migrating to the new Splunk App for AWS Security Dashboards. For more about migration options, see this community post.

Overview of the dashboards in the Splunk App for AWS

The Splunk App for AWS offers a variety of dashboards to give you insight into your AWS data. As you navigate from one dashboard to another, the app retains your most recent filter selections for Account ID and region to facilitate easy browsing.

Each dashboard is powered by data collected from your AWS environment using one or more input types configured in the Splunk Add-on for AWS. The dashboard overview tables below show the recommended input types to configure for each dashboard. For detailed information of all the supported input types for each source type, see Supported data types and corresponding AWS input types in the Splunk Add-on for AWS Guide.

If you do not see data in a particular dashboard panel, check the source type of the panel for which data is missing. For example, if your Configuration Changes panel on the Overview dashboard shows zeroes, but you know changes have been made in your AWS environment, search sourcetype=aws:config:notification to check that data is coming in to your Splunk platform from that source type. If you do not see events, troubleshoot that input with a Splunk administrator, and make sure that proper AWS permissions have been configured for the Splunk Add-on for AWS. See the installation overview topic in the Splunk Add-on for AWS manual to identify the input permissions you need for your deployment.

Overviews

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Overview Gives a big picture overview of your AWS environment and status from different perspectives, including configuration changes, usage, security. If anything looks unusual, you can click a panel to drill down to a more detailed dashboard.

Recommended input types: SQS-based S3, Description
Configuration Changes aws:config:notification
Notable CloudTrail Activity by Origin aws:cloudtrail
Compute Instances aws:description
Storage aws:description, aws:cloudwatch
ELB aws:description, aws:cloudwatch
CloudFront aws:cloudfront:accesslogs
Usage Overview Summarizes the usage of AWS services such as EC2 and EBS.

Recommended input types: Description, CloudWatch
EC2 and EBS aws:description
ELB aws:description, aws:cloudwatch
Max CPU Utilization - Last 7 Days Top 5 aws:cloudwatch, aws:description
Min CPU Utilization - Last 7 Days Top 5 aws:cloudwatch, aws:description
Security Overview Displays the number of error events from different services. Drill down to more detailed dashboards from this overview.

Recommended input types: Description, SQS-based S3
IAM Errors aws:cloudtrail
VPC Errors aws:cloudtrail
Security Group Errors aws:cloudtrail
Key Pair Errors aws:cloudtrail
Network ACL Errors aws:cloudtrail
Unauthorized Activity aws:cloudtrail
Authorized vs Unauthorized IAM Activity aws:cloudtrail
Authorized vs Unauthorized Activity by User aws:cloudtrail
Authorized vs Unauthorized Activity by Event Name aws:cloudtrail
Insights Overview Summarizes the numbers and trends of detected problems with resource usages.

Recommended input types: Description, CloudWatch
Insights - Yesterday
aws:description, aws:cloudwatch
Anomaly - Yesterday aws:description, aws:cloudwatch, aws:cloudtrail
Anomaly - Last 100 by 12 a.m. aws:cloudwatch, aws:cloudtrail
Anomaly Detection Overview Displays anomaly trends over time as well as a list of recent anomalies. You can also view and manage all the configured anomaly detection jobs in this dashboard. For information about creating anomaly detection rules, see Create anomaly detection rules.

Recommended input types: Description, CloudWatch
Anomaly Trends aws:description, aws:cloudwatch
Latest 100 Anomalies aws:description, aws:cloudwatch, aws:cloudtrail
Anomaly Detection Jobs aws:cloudwatch, aws:cloudtrail

Note: If you see a message indicating that the Notable CloudTrail Activity by Origin map cannot display, this is due to the fact that AWS does not provide a valid sourceIPAddress for data in the AWS region at this time.

Topology

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Topology Displays the topology of your AWS resources and how they relate to each other. See Topology dashboard reference for the Splunk App for AWS for more details.

Recommended input types: SQS-based S3, CloudWatch, Kinesis, Billing (Cost and Usage Report)
Topology aws:config
Relationships aws:config
Usage aws:cloudwatch
Activity aws:cloudtrail
VPC Flow aws:cloudwatchlogs:vpcflow
IAM aws:config
Billing aws:billing:cur, aws:billing
Amazon Inspector and Config Rules aws:inspector, aws:config:rule

Timeline

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Timeline Chronologically display up to 200 historical events on a timeline associated with the following AWS services: Config Notification, Amazon Inspector, Config Rules, CloudTrail, Personal Health, SQS (custom events).
For SQS custom events to be displayed on the timeline, the events must be described in the following json format and are ingested from the SQS queue by the Splunk Add-on for AWS.
{
	"title": "<event title>",
	"description": "<event description>",
	"resourceId": "AWS resource ID",
	"accountId": "AWS account ID",
	"regioin": "AWS region"
}


Recommended input types: SQS-based S3, Description, Inspector
Timeline aws:description, aws:inspector, aws:cloudtrail, aws:config:rule, aws:config:notifications

Usage

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
EC2 Instances Describes the usage of your EC2 instances.

Recommended input types: Description, CloudWatch
Running EC2 Instances aws:description
In-Use Reserved EC2 Instances aws:description
Unused Reserved EC2 Instances aws:description
Running EC2 Instances by Category aws:description
Running EC2 Instances by Region aws:description
Running EC2 Instances by Type aws:description
Running EC2 Instances by Type Over Time aws:description
Running EC2 Instances by Region Over Time aws:description
EC2 Spot Instances Details aws:description
EC2 Reserved Instances aws:description
High Utilization EC2 Instances aws:cloudwatch, aws:description
Low Utilization EC2 Instances aws:cloudwatch, aws:description
Individual EC2 Instances Allows you to look up the detailed usage of specific EC2 instances.

Recommended input types: Description, CloudWatch
EC2 Instance Details aws:description
Average CPU Utilization - Last 24h aws:cloudwatch
Total Network I/O - Last 24h aws:cloudwatch
Total Failed Status Checks - Last 24h aws:cloudwatch
Average CPU Utilization Over Time aws:cloudwatch
Total Network I/O Over Time aws:cloudwatch
Total Failed Status Checks Over Time aws:cloudwatch
EBS Volumes Describes the usage of EBS volumes.

Recommended input types: Description, CloudWatch
In-Use EBS Volumes aws:description
In-Use EBS Volume Size aws:description
EBS Snapshots Size aws:Description
In-Use EBS Volumes by Type aws:Description
EBS Volumes by Sizes aws:Description
EBS Volumes by IOPS aws:Description
Unused EBS Volumes aws:Description
Non-Optimized EBS Volumes aws:Description
EBS Volumes Without Recent (30 days) Snapshot aws:Description
Standard EBS Volumes with IOPS > 95 - Last 7 Days aws:Description, aws:cloudwatch
EBS Volumes with IOPS < 1 - Last 7 Days aws:Description, aws:cloudwatch
Individual EBS Volumes Allows you to look up the detailed usage of specific EBS volumes.

Recommended input types: Description, CloudWatch
EBS Volume Details aws:Description
Average IOPS - Last 24h aws:cloudwatch
Total Read/Write - Last 24h aws:cloudwatch
Average Queue Length - Last 24h aws:cloudwatch
Average IOPS Over Time aws:cloudwatch
Total Read/Write Over Time aws:cloudwatch
Average Queue Length Over Time aws:cloudwatch
ELB Instances Displays information about the ELBs in your environment.

Recommended input types: Description, CloudWatch
Total ELBs aws:Description
Total Requests aws:cloudwatch
Unhealthy EC2 Instances aws:Description
ELB Error Requests aws:cloudwatch
HTTP 4XX Responses aws:cloudwatch
HTTP 5XX Responses aws:cloudwatch
ELBs by Region aws:Description
Requests by ELB aws:cloudwatch
Requests by HTTP Status Code aws:cloudwatch
Latency per ELB Over Time aws:cloudwatch
Requests per ELB Over Time aws:cloudwatch
Individual ELB Instances Allows you to look up detailed information about specific ELBs.

Recommended input types: Description, CloudWatch
Total Requests aws:cloudwatch
ELB Error Requests aws:cloudwatch
HTTP Error Requests aws:cloudwatch
Unhealthy EC2 Instances aws:Description
ELB Details aws:cloudwatch
EC2 Instances aws:Description
Latency Over Time aws:cloudwatch
Request Count Over Time aws:cloudwatch
HTTP Status Code Over Time aws:cloudwatch
Relational Database Service Displays RDS data from the CloudWatch service.

Recommended input types: Description, CloudWatch
RDS Instance Details aws:Description, aws:cloudwatch
Average CPU Utilization aws:Description, aws:cloudwatch
Average Freeable Memory aws:Description, aws:cloudwatch
Average Free Storage Space aws:Description, aws:cloudwatch
Average Write IOPS aws:Description, aws:cloudwatch
Average Read Latency aws:Description, aws:cloudwatch
Average Write Latency aws:Description, aws:cloudwatch
Lambda Provides detailed metrics of functions run by the AWS Lambda compute service.

Recommended input types: CloudWatch
Duration (ms) by Function aws:cloudwatch
Invocations by Function aws:cloudwatch
Errors by Function aws:cloudwatch
Throttles by Function aws:cloudwatch
GB-s by Function aws:cloudwatch
Duration (ms) by Function Over Time aws:cloudwatch
Invocations by Function Over Time aws:cloudwatch
Errors by Function Over Time aws:cloudwatch
Throttles by Function Over Time aws:cloudwatch
GB-s by Function Over Time aws:cloudwatch
API Gateway Lets you visually view metrics of APIs managed through your API Gateway.

Recommended input types: CloudWatch
Total Count by API aws:cloudwatch
Total Count by API Over Time aws:cloudwatch
Total Count by API aws:cloudwatch
Total Count by API Over Time aws:cloudwatch
Most Active Methods aws:cloudwatch
Slowest Methods aws:cloudwatch
Capacity Planner Allows you to analyze your usage to plan your capacity for upcoming months. Based on historical month data from Detailed billing reports with resources and tags.

Recommended input types: Billing (Cost and Usage Report)
Total Instance Hours aws:billing, aws:billing:cur
Percentage of On-Demand Hours aws:billing
Total Instance Cost aws:billing
Percentage of On-Demand Cost aws:billing
Instance Hours aws:billing
Reserved Instance Planner Helps you better plan your reserved instances by letting you view existing resources and providing optimal resource recommendations with estimated annual savings based on historical or predictive usage data. Reserved Instance Planner

Recommended input types: Billing (Cost and Usage Report), Description
aws:billing, aws:billing:cur, aws:description
Reserved Instance Inventory Displays usage statistics of reserved instances (RI) as well as current RI plans.

Recommended input types: Description
RIs by Instance Type aws:Description
RIs by Region aws:Description
RIs by Payment Option aws:Description
RI Plans aws:Description
RI Utilization by Family in Last Month aws:Description, aws:billingaws:billing:cur

Security

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Network ACLs Describes the Network ACL activity in your AWS environment, including error events, the number of Network ACLs, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3, Description
Network ACLs aws:Description
Error Events aws:cloudtrail
Network ACL Actions aws:cloudtrail
Network ACL Activity Over Time aws:cloudtrail
Detailed Network ACLs Activity aws:cloudtrail
Network ACL Error Activity aws:cloudtrail
Security Groups Describes security group activity in your AWS environment, including error events, number of security groups and rules, any unused security groups, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3, Description
Security Groups aws:Description
Security Group Rules aws:Description
Error Events aws:cloudtrail
Security Group Actions aws:cloudtrail
Unused Security Groups aws:config
Security Group Activity Over Time aws:cloudtrail
Security Group Activity aws:cloudtrail
Authorize and Revoke Activity aws:cloudtrail
Security Group Error Activity aws:cloudtrail
IAM Activity Describes IAM activity in your environment, including the error events, which users have the most activity, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3
Error Events aws:cloudtrail
Activity by User aws:cloudtrail
IAM Actions aws:cloudtrail
IAM Activity Over Time aws:cloudtrail
Authorized vs. Unauthorized Activity aws:cloudtrail
Detailed IAM Activity aws:cloudtrail
IAM Error Activity aws:cloudtrail
Key Pairs Activity Describes the key pair activity in your AWS environment, including error events, the number of in-use key pairs, which key pair is most used, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3, Description
In-Use Key Pairs aws:Description
Error Events aws:cloudtrail
Key Pair Actions aws:cloudtrail
Key Pair Usage aws:Description
Key Pair Activity Over Time aws:cloudtrail
Key Pair Activity aws:cloudtrail
Key Pair Error Activity aws:cloudtrail
S3 - Data Event Displays S3 event statistics

Recommended input types: SQS-based S3
Error Events aws:s3:accesslogs
Unauthorized Events aws:s3:accesslogs
Activities by User aws:s3:accesslogs
Events by UserAgent aws:s3:accesslogs
Events by UserName aws:s3:accesslogs
Events by BucketName aws:s3:accesslogs
Events Over Time aws:s3:accesslogs
Events by Origin aws:s3:accesslogs
Most Frequently Accessed Objects - Top 10 aws:s3:accesslogs
Most Recent Modifications - Latest 10 aws:s3:accesslogs
VPC Activity Describes VPC activity in your environment, including the error events, number of VPCs, activity over time, and the detailed list of error activities.

Recommended input types: SQS-based S3, Description
VPCs aws:Description
Error Events aws:cloudtrail
Network VPC Actions aws:cloudtrail
VPC Activity Over Time aws:cloudtrail
Detailed VPC Activity aws:cloudtrail
VPC Error Activity aws:cloudtrail
Resource Activity Shows the resource changes over time and the detailed change list.

Recommended input types: SQS-based S3
Changes Over Time aws:config:notification
Changes by Resource Type aws:config:notification
Resources aws:config:notification
User Activity Describes user activity in your AWS environment, including the number of active users, error/unauthorized activities, activity over time, and list of activities. You can also filter activities by ARN or username.

Recommended input types: SQS-based S3
Active Users aws:cloudtrail
Error Activities aws:cloudtrail
Unauthorized Activities aws:cloudtrail
User Activity by Event Name Over Time aws:cloudtrail
User Activity by User Name Over Time aws:cloudtrail
Most Recent User Activity Grouped by Event Name aws:cloudtrail
Event Details aws:cloudtrail
Geographic Source of Event(s) aws:cloudtrail
CloudFront - Traffic Analysis Traffic and error metrics about your CloudFront distribution.

Recommended input types: SQS-based S3
Total Requests aws:cloudfront:accesslogs
Error Requests aws:cloudfront:accesslogs
Total Request Traffic aws:cloudfront:accesslogs
Total Response Traffic aws:cloudfront:accesslogs
Cache Hit Ratio aws:cloudfront:accesslogs
Traffic Size by Location (Bytes) aws:cloudfront:accesslogs
Request Count by Location aws:cloudfront:accesslogs
HTTP Status aws:cloudfront:accesslogs
User Agents aws:cloudfront:accesslogs
CloudFront Edge Details aws:cloudfront:accesslogs
Top URLs aws:cloudfront:accesslogs
Top Request by Edge Location aws:cloudfront:accesslogs
Slowest Requests aws:cloudfront:accesslogs
Heaviest Traffic Requests aws:cloudfront:accesslogs
Latency Over Time aws:cloudfront:accesslogs
Traffic (MB) Over Time aws:cloudfront:accesslogs
ELB - Traffic Analysis Data from your ELB access logs.

Recommended input types: SQS-based S3
Total Entries aws:elb:accesslogs
Total ELBs aws:elb:accesslogs
Unique Clients aws:elb:accesslogs
Total Data Sent aws:elb:accesslogs
Total Data Received aws:elb:accesslogs
Traffic Size by Location (Bytes) aws:elb:accesslogs
Request Count by Location aws:elb:accesslogs
Error Entries aws:elb:accesslogs
Average Processing Time aws:elb:accesslogs
Top Error-Causing Requests aws:elb:accesslogs
Error Count aws:elb:accesslogs
Top Time-Consuming Requests aws:elb:accesslogs
Processing Time (ms) aws:elb:accesslogs
S3 - Traffic Analysis Data from your S3 access logs.

Recommended input types: SQS-based S3
Total Requests aws:s3:accesslogs
Error Requests aws:s3:accesslogs
Total Traffic aws:s3:accesslogs
Average Processing Time aws:s3:accesslogs
Traffic Size by Location (Bytes) aws:s3:accesslogs
Request Count by Location aws:s3:accesslogs
HTTP Status aws:s3:accesslogs
S3 Error Code aws:s3:accesslogs
Top User Agents aws:s3:accesslogs
Top Requests aws:s3:accesslogs
Request Count Over Time aws:s3:accesslogs
Top Error Requests aws:s3:accesslogs
Error Count Over Time aws:s3:accesslogs
VPC Flow Logs - Traffic Analysis Provides an overview of your network traffic.

Recommended input types: SQS-based S3
Monitored Interfaces aws:cloudwatchlogs:vpcflow
Traffic Protocols aws:cloudwatchlogs:vpcflow
All Traffic (GB) aws:cloudwatchlogs:vpcflow
Traffic Destinations aws:cloudwatchlogs:vpcflow
Traffic Sources aws:cloudwatchlogs:vpcflow
Traffic Over Time by Interface (Top 5) aws:cloudwatchlogs:vpcflow
Traffic Size by Protocol and Location aws:cloudwatchlogs:vpcflow
Top Destination Addresses aws:cloudwatchlogs:vpcflow
Top Destination Ports aws:cloudwatchlogs:vpcflow
Top Source Addresses aws:cloudwatchlogs:vpcflow
VPC Flow Logs - Security Analysis Provides an overview of your rejected network traffic.

Recommended input types: SQS-based S3
Accepted vs. Rejected Over Time (Bytes) aws:cloudwatchlogs:vpcflow
Accepted vs. Rejected Traffic by Location aws:cloudwatchlogs:vpcflow
Top Rejected Destination Ports aws:cloudwatchlogs:vpcflow
Top Rejected Source Addresses aws:cloudwatchlogs:vpcflow
Top 50 Rejected Address Pairs aws:cloudwatchlogs:vpcflow

Insights

Note: Splunk Light does not support the Insights dashboards, including the Insights Overview dashboard under the Overview menu. If you use Splunk Light, all Insight dashboard menus will be hidden from view.

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Config Rules Displays compliance status results based on the AWS Config rules that you have set up in your environment.

Recommended input types: SQS-based S3
Active Config Rules aws:config:rule
Non-Compliant Config Rules aws:config:rule
Non-Compliant Resources aws:config:rule
Compliant vs Non-Compliant Config Rules aws:config:rule
Compliant vs Non-Compliant Resources aws:config:rule
Non-Compliant Resources by Config Rules aws:config:rule
Active Config Rules Summary aws:config:rule
Non-Compliant Resource Details aws:config:rule
Non-Compliant Resources Over Time aws:config:rule
Amazon Inspector Displays results of your Amazon Inspector findings, which you can filter by assessment run and severity. From the Findings table on this dashboard, click on an EC2 instance name to jump directly to the Topology dashboard and view that EC2 instance in context.

Recommended input types: Inspector
Completed Assessment Runs aws:inspector
Total Findings aws:inspector
High Severity aws:inspector
Medium Severity aws:inspector
Low Severity aws:inspector
Informational Severity aws:inspector
Findings aws:inspector
EC2 Insights Displays EC2 instances with potential problems. Note: At least four days worth of CloudWatch data for EC2 instances over the past seven days must be available for the dashboard to work.

Recommended input types: Description, CloudWatch
EC2 Insights aws:description, aws:cloudwatch
Elastic IP Insights Displays public IPs with problems and provides best practice recommendations.

Recommended input types: Description
Elastic IP Insights aws:description
ELB Insights Displays load-balancing problems at different severity levels and provides best practice recommendations.

Recommended input types: Description, CloudWatch
Elastic Load Balancing Insights aws:Description, aws:cloudwatch
EBS Insights Displays detected EBS-related anomalies at different severity levels and provides best practice recommendations.

Recommended input types: Description
EBS Insights aws:description, aws:cloudwatch
AWS Personal Health Displays statuses of different types of services.

Recommended input types: SQS
Service Status aws:sqs
Security Group Insights Displays different severity levels of detected problems with the configuration and usage of security groups in your AWS environment.

Recommended input types: Description
Security Group Insights aws:description
IAM Insights Displays different severity levels of detected problems with IAM authentication setup and management in your AWS environment.

Recommended input types: Description
IAM Insights aws:description

Billing

Dashboard Description and recommended input types in the Splunk Add-on for AWS Panel Source Type
Budget Planner Helps you better plan budgets and control expenses by letting you set monthly budgets over a period of time and visually view all aspects of your budget information and track actual expenses against your budgets.

Recommended input types: Billing (Cost and Usage Report)
Total Budget aws:billing, aws:billing:cur
Monthly Budget aws:billing, aws:billing:cur
Remaining Total Budget aws:billing, aws:billing:cur
Budget Burndown aws:billing, aws:billing:cur
Budget aws:billing, aws:billing:cur
Month-over-month Budget aws:billing, aws:billing:cur
Current Month Estimated Billing Projected AWS bill information based on your CloudWatch billing metrics.
Note that the Total Projected Cost -- This Month and Cost Projection Over Time panels rely on at least two data points before a projection can appear, thus these panels show "No results found" for the first few days of each new month.

Recommended input types: CloudWatch
Estimated Cost - Month to Date aws:cloudwatch
Total Projected Cost - This Month aws:cloudwatch
Estimated Cost by Account aws:cloudwatch
Estimated Cost by Service aws:cloudwatch
Month over Month Comparison - Daily Cost aws:cloudwatch
Cost Projection Over Time aws:cloudwatch
Estimated Cost by Account and Service - Month to Date aws:cloudwatch
Historical Monthly Bills Displays your monthly billing cost up to but excluding the current month. AWS continues to update the monthly billing report several days after the last day of a calendar month, so you may see some fluctuation in the most recent monthly charge during the first few days of a new month.
Note that the Cost by Region panel is not available in consolidated accounts and show incomplete costs in nonconsolidated accounts if your bills include items that do not have region information associated with them.

Recommended input types: Billing (Cost and Usage Report)
Cost by Account aws:billing, aws:billing:cur
Cost by Service aws:billing, aws:billing:cur
Cost by Region aws:billing, aws:billing:cur
EC2 Cost by Instance Type aws:billing, aws:billing:cur
EBS Cost by Usage Type aws:billing, aws:billing:cur
Month over Month Comparison aws:billing, aws:billing:cur
Cost by Account and Service aws:billing, aws:billing:cur
Historical Detailed Bills Allows you to analyze your detailed billing history using your Detailed billing reports with resources and tags. Does not include data for the current month. Expect long load times for this dashboard due to the large amount of data in the Detailed billing report.

Recommended input types: Billing (Cost and Usage Report)
Total Cost aws:billing, aws:billing:cur
Cost Over Time aws:billing, aws:billing:cur
Last modified on 30 March, 2021
Work with your data in the Splunk App for AWS   Filter dashboards by tags in the Splunk App for AWS

This documentation applies to the following versions of Splunk® App for AWS (Legacy): 6.0.1, 6.0.2, 6.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters