I am using Splunk Free Enterprise, and have had a ton of difficulty in getting data from AWS Cloudwatch into the Splunk Add-On for Amazon Web Services. In addition, the Splunk App for AWS simply doesn't work with the add-on. I can see events in the add-on for the AWS/EC2 namespace, and yet the app has 0 for everything. My inputs are going to the "main" index, not anything special. And I am only collecting from the "InstanceId" dimension for EC2 (as I saw a post earlier saying the others wouldn't work)
So, do they actually work in the free enterprise version? Is there something I need to set up to help the two parts communicate?
You need to install the Splunk_TA_aws.
The app just does the vis and saved searches. The TA collects the actual data from the AWS webservices.
In the most recent version of the AWS app 5.1.0 the app no longer 'communicates' with the TA like it did in previous versions. Instead you perform all of the input config in the TA, and switch to the app to view it. As an aside, if your using AWS config - the TA no longer generates a config snapshot for you - you will have to trigger the API to do this for you, and there is no mention of this in the documentation (I have raised this with support!).
I am not sure what data you would be trying to collect, but the bulk of the useful information comes from the Config and cloud trail services. The app uses those historical audit and activity sources to populate most of the dashboards. Its not talking directly to the ec2 endpoints to get performance or machine data data.
Oh - also, have you enabled the summary saved searches on the TA - these take your TA configured inputs and write them into a summary index. The app then uses the results from the summary index to pass to the other saved searches which generate the data.
Thanks, that's good to know! I was only collecting EC2 metrics from AWS cloudwatch, so maybe that's the problem. I will try collecting from Config and Cloudtrail too and see what happens. I have the "Addon Metadata - Summarize AWS Inputs" enabled. Is that what you mean by the summary saved search? (I'm rather new to Splunk)
Thanks for the comments Woodcock and Esky73. I have gone through the documentation and tried a lot of different things to get the data from the add-on into the app and nothing has worked.
Do you know if I have to be collecting all of the Cloudwatch data, not just the EC2 data for the app to work? I would have thought that I could see the EC2 data in the AWS App without having to get the ELB, billing. RDS etc. data. Or is there something special that needs to be configured and is undocumented?
On the configuration page in the App for AWS, I have no options to do anything other than a few checkboxes to enable warning messages and a button to select billing tags.