All Apps and Add-ons

I have Configured AWS add-on in Heavy Forwarder and AWS app in Search Head but not displaying AWS app dashboared

Dhanaskv
Path Finder

I have Configured Distributed Splunk Setup AWS add-on in Heavy Forwarder and AWS app in Search Head but Configuration changes not displaying AWS app dashboardScreenshot from 2021-03-15 10-26-37.png

0 Karma
1 Solution

Dhanaskv
Path Finder

@Vardhan  Thank you so much for your time I am really happy
here are the steps  find  the result 
1.Install Splunk AWS add-on  in Search Head 
2.Create outputs.conf in search head  directory (/opt/Splunk/etc/apps/splunk_apps_aws/local/ vi output.conf)
3. Enter the following content in output.conf
([indexAndForward]
index = false # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997 # list of peers)

View solution in original post

0 Karma

Dhanaskv
Path Finder

@Vardhan  Thank you so much, Vishnu without your help I can't  the solution

0 Karma

Dhanaskv
Path Finder

@Vardhan  Thank you so much for your time I am really happy
here are the steps  find  the result 
1.Install Splunk AWS add-on  in Search Head 
2.Create outputs.conf in search head  directory (/opt/Splunk/etc/apps/splunk_apps_aws/local/ vi output.conf)
3. Enter the following content in output.conf
([indexAndForward]
index = false # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997 # list of peers)

0 Karma

Vardhan
Contributor

Hi,

Whether logs are coming to index? 

If logs are coming then I believe the app is not fetching the logs from correct index.Just check the default config of app is anywhere mentioned the index name in macro or eventtype.

Dhanaskv
Path Finder

Thanks for your response 

Whether logs are coming to index? 👇

Yes @Vardhan  

Screenshot from 2021-03-15 11-47-57.png

 

the default config of the app is anywhere mentioned the index name in macro or event type?

@Vardhan  default config (In Search Head Where AWS app Deployed) means I believe this 👇

image (3).png

0 Karma

Vardhan
Contributor

Hi,

Please check in macro.conf is there any other index name is mentioned.

And also in the below screenshot shows the warning like the required inputs has not been configured. You may get the data from the aws.But that data may not be useful for the app.

So enable the below mentioned inputs in the hf and get those logs to the index.

 

Vardhan_0-1615791500538.png

 

Dhanaskv
Path Finder

My Index name (aws_index) configured in the indexer cluster:

My Heavy Forwarder (Deployed in AWS add-on ) configuration:

Screenshot from 2021-03-15 15-11-38.png

 

macro.conf file:

Screenshot from 2021-03-15 15-13-16.png

macro. conf file is correct or wrong?

0 Karma

Vardhan
Contributor

Hi,

Can you follow the below steps given in the document. The Macro is using the Aws indexes and you need to replace all with custom indexes which you have created for aws logs.

Vardhan_0-1615802735088.png

https://docs.splunk.com/Documentation/AWS/6.0.2/Installation/Useacustomindex

Dhanaskv
Path Finder

Yes @Vardhan  

but the fifth step  can't find out 

Screenshot from 2021-03-15 15-58-06.png

 

0 Karma

Vardhan
Contributor

This might help you.

Vardhan_0-1615804642548.png

 

Tags (1)

Dhanaskv
Path Finder

Yes @Vardhan  

This article really helpful
but the result didn't any change

0 Karma

isoutamo
SplunkTrust
SplunkTrust
https://docs.splunk.com/Documentation/AWS/6.0.2/Installation/Useacustomindex
In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.

Dhanaskv
Path Finder

Thanks for response @isoutamo 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...