All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can Splunk App for AWS and TA for AWS on Search head communicate with Splunk TA for AWS on Heavy Forwarder?

purvipathak
New Member
‎12-28-2017 07:28 AM

The Splunk App for AWS and the AWS TA are running on the Search head. The TA is also installed on the Heavy Forwarder. We are able to run the "listawsinputs" command on the TA on the Heavy Forwarder but it is not running on the TA on the search head. The listawsinputs is required to make the Topology dashboard run on the Splunk App for AWS. What can be done to make the two TAs communicate with each other?

0 Karma
Reply

nickhills
Ultra Champion
‎12-28-2017 08:20 AM

They don't talk to 'each other' - they talk via an index!.

When you run the scheduled search on your configured HF it runs
| listawsinputs | collect 'aws-input-index'

The collect statement tells Splunk to write the results of the list command into a summary index defined by aws-input-index
The App on the SH then queries the same summary index, to work out which inputs you HF has been configured with.

You need to make sure that the summary indexes are created on your indexers - otherwise the HFs won't write it into the correct index, and the SH wont be able to find it.

Distribute the summary index

configurations to the indexer:

Copy $SPLUNK_HOME/etc/apps/splunk_apps_aws/default/indexes.conf
from the search head to a temporary
directory on the indexer and then
merge all the settings in the file
into
$SPLUNK_HOME/etc/apps/search/local/indexes.conf
to incorporate the summary index
configurations.

http://docs.splunk.com/Documentation/AWS/5.1.0/Installation/Installon-prem

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...