Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App for AWS: The Billing Dashboard does not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for AWS: The Billing Dashboard does not handle multiple adjustment cost records/events in a given month
In a previous month, our AWS billing feed received 31 cost adjustment records. The 2 searches on that dashboard (monthly-cost-by-account and monthly-cost-by-service) adds all the cost events for that given month thus distorting the total cost. The actual cost was received in the last event. The search string for each of the dashboard displays is as follows
`aws-billing-monthly($cAccountId$, $cCurrency$)` RecordType=AccountTotal | timechart span=1mon eval(round(sum(TotalCost),2)) as TotalCost by LinkedAccount limit=20 | eval nowstring=strftime(now(), "%Y-%m") | eval timestring=strftime(_time, "%Y-%m") | where NOT timestring=nowstring | fields - nowstring timestring
`aws-billing-monthly($cAccountId$, $cCurrency$)` RecordType=LinkedLineItem | timechart span=1mon eval(round(sum(TotalCost),2)) as TotalCost by ProductName limit=20 | eval nowstring=strftime(now(), "%Y-%m") | eval timestring=strftime(_time, "%Y-%m") | where NOT timestring=nowstring | fields - nowstring timestring
The search strings above are only expecting 1 record for a given month.
So, my question(s) is how to proceed - can the 2 searches be modified to handle multiple cost adjustments records received in a given month using the last one as the final cost? Should I attempt to delete the 30 records that do not reflect the true/final cost ot that month? The search strings above are only expecting 1 record for a given month.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 2 work a rounds were for
https://splunkbase.splunk.com/app/1274/
There is a billing dashboard in this app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BillBaker
I edited and retagged your post, but wanted to clarify for other users that find this. Are you referring to the Splunk App for AWS (https://splunkbase.splunk.com/app/1274/ ), or the Splunk App for AWS Billing (https://splunkbase.splunk.com/app/1577/ ) in your post?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out correcting the first search using "latest" parm with timechart
The second search is a little more involved because it does have multiple feeding each month's services - not just one for each service. I am attempting to find and then filter out the extra records.
AWS app is maintained by splunk. Those who maintain it may want to review and adapt to what seems to be new billing practices by AWS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Better result on "latest" was using "last" parm with timechart
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
