I’m trying to set up an AWS input using the Splunk Add-on for Amazon Web Services (AWS). Specifically, I’m trying to set up an input for EC2 instances using the EC2 metric dimension: AutoScalingGroupName. I am able to successfully collect inputs using the metric dimension: InstanceID. The AWS documentation indicates the 4 metric dimensions: AutoScalingGroupName, ImageId, InstanceId, InstanceType
Here are the inputs configured:
THIS ONE WORKS
[aws_cloudwatch://Borderfree-SBX:AWSEC2-All]
aws_account = Borderfree-SBX
aws_region = us-west-1
metric_dimensions = [{"InstanceId": [".*"]}]
metric_names = ".*"
metric_namespace = AWS/EC2
period = 60
polling_interval = 60
sourcetype = aws:cloudwatch
statistics = ["Average","Sum","SampleCount","Maximum","Minimum"]
index = bfr_aws_cloudwatch_sbx
THIS ONE DOES NOT WORK
[aws_cloudwatch://Borderfree-SBX:AWSEC2-AutoScaling]
aws_account = Borderfree-SBX
aws_region = us-west-1
index = bfr_aws_cloudwatch_sbx
metric_dimensions = [{"AutoScalingGroupName": [".*"]}]
metric_names = ".*"
metric_namespace = AWS/EC2
period = 60
polling_interval = 60
sourcetype = aws:cloudwatch
statistics = ["Average","Sum","SampleCount","Maximum","Minimum"]
You may want to modify the AWS IAM Policy you are using to collect the data with Splunk and add a section to allow for reading the AutoScaling service:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
This was just taken from the existing AutoScalingReadOnlyAccess policy found in your IAM Policies.
Sometimes the splunk_app_aws configuration UI is a little more user friendly. Does using that app's setup provide a different syntax that works?
Related docs for those helping with this question: http://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatch