All Apps and Add-ons

Splunk App for AWS: VPC Flow Logs – Empty inputs on the Traffic Analysis dashboard

_smp_
Builder

I have configured a VPC Flow Log input on my heavy forwarder (HF) and confirmed I am getting the correct data in the index. But on the VPC Flow Logs - Traffic Analysis dashboard, only the Account ID input is the only input being populated. While troubleshooting, I looked at the Simple XML of the dashboard and it looks like there are quite a few searches referencing a strange field value. For example, here is the search which is supposed to populate the Interface ID input:

`aws-vpc-flow-log-index` source="dest_ip" $accountId$ | stats count by interface_id

The thing that looks odd to me is source="dest_port" - the source field never has a value of the string dest_port. There are a number of other searches in the dashboard looking for the same value of the source field, and a few more looking for a value of source="src_ip". When I take out that field from the Interface ID field search, I get the values I would expect.

It seems very odd that so many searches in this dashboard would look for these field values, but it also seems very wrong that I would have to hack the XML this much. Any idea what's going on here?

0 Karma
1 Solution

_smp_
Builder

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

View solution in original post

0 Karma

OzzySplunker
Loves-to-Learn Lots

The highlighted solution did not work for me. We are using Splunk Cloud, and even though I had the Addon Metadata - Summarize AWS Inputs enabled on the IDM, it the VPC Flow Logs - Traffic Analysis dashboard was still not populating.

My solution was that I had to manually run some saved searches on the IDM to build lookups for the dashboard:

  • VPC Flow Logs Summary Generator - Dest IP
  • VPC Flow Logs Summary Generator - Dest Port
  • VPC Flow Logs Summary Generator - Src IP

 

0 Karma

_smp_
Builder

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

0 Karma

joemilli
New Member

hey Scott, thank you. I found it.

0 Karma

joemilli
New Member

Hi, I can not seem to find the screen to enable this setting. Running 7.0.0:
alt text

0 Karma

_smp_
Builder

You are looking at the App, not the Add-On. But the search I'm referring to cannot be found navigating the Add-On either. Click on Settings > Searches, reports, and alerts, select the 'App: Splunk Add-on for AWS (Splunk_TA_aws)' filter (or 'All'), and find look for the 'Addon Metadata - Summarize AWS Inputs' search.

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...