I feel I'm going to pull my hair out over this.
In the Splunk Add-on for AWS, I have configured data inputs. This is from our consolidated billing account.
I firstly tried configuring the cost & usage reports input but this pulls in lots of data but nothing is shown in the dashboards.
Looking a bit deeper at the searches, it seems it is not even looking for the sourcetype,
So with that knowledge, I configured the legacy inputs, the monthly report and the detailed billing report.
This seems to pull in more data but the dashboard is still not able to find any results for its searches.
I feel I have missed something, but it's so frustrating to have data in the index but the app completely unable to see it.
Does anyone have experience with this app and getting billing working?
I believe this is an issue with the way some of the AWS Dashboard searches are written. The tags at the beginning of the searches seem to only denote sourcetype. This can cause a searching issue, because by default your account does not search any custom indexes.
If I were to search:
I would most likely get 0 results.
This is because Splunk translates the above search to:
index = <Indexes searched by default> sourcetype=aws:billing
However, if I were to search:
I would see results.
There are a couple ways to test this:
Looking through the app I found the below lines in macros.conf
[aws-billing-index] definition = (index="main") [aws-billing-sourcetype] definition = `aws-billing-index` sourcetype="aws:billing"
It looks like the AWS app as a whole defaults to looking at the "main" index for its data. You try changing this in the macros.conf by copying it to the /local dir. Or investigate with my second test above.
Hey thanks for the reply, I should have said in my original comment that I had tried this already but for the majority of the dashboards I don't get any data at all.
It seems there is some historical detailed billing info coming through but for all other searches nothing is returned.
For example, it cannot even find any account id's when running this search:
The outcome is the same if I preface it with index=aws_billing
I'm not really sure where to go with it because the account I am using has full read access to the billing s3 bucket and has no issues pulling the data in and the data is definitely there.
And the documentation (https://docs.splunk.com/Documentation/AddOns/released/AWS/Billing) is not up to date with the "recommended" way to do this (With cost & usage reports).
Have you yourself got this information working? How is the add on configured? Is it legacy or with the cost & usage reports?
First of all, you need to be running the AWS App 5.2 or later and you need to enable the billing feature under the "Configure" setting on the AWS App. Once complete, then make sure to update the Backfill / acceleration for the data model (Detailed Billing CUR). It defaults to last 12 hours, change it to last year if you want it to go back.
Splunk App for AWS -> Configure -> Select billing report type Billing (Cost and Usage Report)