- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured a VPC Flow Log input on my heavy forwarder (HF) and confirmed I am getting the correct data in the index. But on the VPC Flow Logs - Traffic Analysis dashboard, only the Account ID input is the only input being populated. While troubleshooting, I looked at the Simple XML of the dashboard and it looks like there are quite a few searches referencing a strange field value. For example, here is the search which is supposed to populate the Interface ID input:
`aws-vpc-flow-log-index` source="dest_ip" $accountId$ | stats count by interface_id
The thing that looks odd to me is source="dest_port" - the source field never has a value of the string dest_port. There are a number of other searches in the dashboard looking for the same value of the source field, and a few more looking for a value of source="src_ip". When I take out that field from the Interface ID field search, I get the values I would expect.
It seems very odd that so many searches in this dashboard would look for these field values, but it also seems very wrong that I would have to hack the XML this much. Any idea what's going on here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The highlighted solution did not work for me. We are using Splunk Cloud, and even though I had the Addon Metadata - Summarize AWS Inputs enabled on the IDM, it the VPC Flow Logs - Traffic Analysis dashboard was still not populating.
My solution was that I had to manually run some saved searches on the IDM to build lookups for the dashboard:
- VPC Flow Logs Summary Generator - Dest IP
- VPC Flow Logs Summary Generator - Dest Port
- VPC Flow Logs Summary Generator - Src IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey Scott, thank you. I found it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I can not seem to find the screen to enable this setting. Running 7.0.0:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are looking at the App, not the Add-On. But the search I'm referring to cannot be found navigating the Add-On either. Click on Settings > Searches, reports, and alerts, select the 'App: Splunk Add-on for AWS (Splunk_TA_aws)' filter (or 'All'), and find look for the 'Addon Metadata - Summarize AWS Inputs' search.
