Solved: Re: I have Configured AWS add-on in Heavy Forwarde...

Dhanaskv · ‎03-14-2021

I have Configured Distributed Splunk Setup AWS add-on in Heavy Forwarder and AWS app in Search Head but Configuration changes not displaying AWS app dashboard Screenshot from 2021-03-15 10-26-37.png

Dhanaskv · ‎03-15-2021

@Vardhan Thank you so much for your time I am really happy
here are the steps find the result
1.Install Splunk AWS add-on in Search Head
2.Create outputs.conf in search head directory (/opt/Splunk/etc/apps/splunk_apps_aws/local/ vi output.conf)
3. Enter the following content in output.conf
([indexAndForward]
index = false # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997 # list of peers)

View solution in original post

Dhanaskv · ‎03-15-2021

@Vardhan Thank you so much, Vishnu without your help I can't the solution

Dhanaskv · ‎03-15-2021

@Vardhan Thank you so much for your time I am really happy
here are the steps find the result
1.Install Splunk AWS add-on in Search Head
2.Create outputs.conf in search head directory (/opt/Splunk/etc/apps/splunk_apps_aws/local/ vi output.conf)
3. Enter the following content in output.conf
([indexAndForward]
index = false # Turn off indexing on the search head
[tcpout]
defaultGroup = my_search_peers # Name of the search peer group
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997 # list of peers)

Vardhan · ‎03-14-2021

Hi,

Whether logs are coming to index?

If logs are coming then I believe the app is not fetching the logs from correct index.Just check the default config of app is anywhere mentioned the index name in macro or eventtype.

Dhanaskv · ‎03-14-2021

Thanks for your response

Whether logs are coming to index? 👇

Yes @Vardhan

Screenshot from 2021-03-15 11-47-57.png

the default config of the app is anywhere mentioned the index name in macro or event type?

@Vardhan default config (In Search Head Where AWS app Deployed) means I believe this 👇

image (3).png

Vardhan · ‎03-15-2021

Hi,

Please check in macro.conf is there any other index name is mentioned.

And also in the below screenshot shows the warning like the required inputs has not been configured. You may get the data from the aws.But that data may not be useful for the app.

So enable the below mentioned inputs in the hf and get those logs to the index.

Dhanaskv · ‎03-15-2021

My Index name (aws_index) configured in the indexer cluster:

My Heavy Forwarder (Deployed in AWS add-on ) configuration:

Screenshot from 2021-03-15 15-11-38.png

macro.conf file:

Screenshot from 2021-03-15 15-13-16.png

macro. conf file is correct or wrong?

Vardhan · ‎03-15-2021

Hi,

Can you follow the below steps given in the document. The Macro is using the Aws indexes and you need to replace all with custom indexes which you have created for aws logs.

https://docs.splunk.com/Documentation/AWS/6.0.2/Installation/Useacustomindex

Dhanaskv · ‎03-15-2021

Yes @Vardhan

but the fifth step can't find out

Screenshot from 2021-03-15 15-58-06.png

Vardhan · ‎03-15-2021

This might help you.

Dhanaskv · ‎03-15-2021

Yes @Vardhan

This article really helpful
but the result didn't any change

isoutamo · ‎03-15-2021

https://docs.splunk.com/Documentation/AWS/6.0.2/Installation/Useacustomindex
In the Splunk Add-on for AWS, modify the aws-account-index and aws-input-index macros to include the custom index you created.

Dhanaskv · ‎03-15-2021

Thanks for response @isoutamo

I have Configured AWS add-on in Heavy Forwarder and AWS app in Search Head but not displaying AWS app dashboared

configuration

dashboard

installation

troubleshooting

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL