All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for AWS: VPC Flow Logs – Empty inputs on the Traffic Analysis dashboard

_smp_
Builder
‎12-04-2017 11:26 AM

I have configured a VPC Flow Log input on my heavy forwarder (HF) and confirmed I am getting the correct data in the index. But on the VPC Flow Logs - Traffic Analysis dashboard, only the Account ID input is the only input being populated. While troubleshooting, I looked at the Simple XML of the dashboard and it looks like there are quite a few searches referencing a strange field value. For example, here is the search which is supposed to populate the Interface ID input:

`aws-vpc-flow-log-index` source="dest_ip" $accountId$ | stats count by interface_id

The thing that looks odd to me is source="dest_port" - the source field never has a value of the string dest_port. There are a number of other searches in the dashboard looking for the same value of the source field, and a few more looking for a value of source="src_ip". When I take out that field from the Interface ID field search, I get the values I would expect.

It seems very odd that so many searches in this dashboard would look for these field values, but it also seems very wrong that I would have to hack the XML this much. Any idea what's going on here?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_smp_
Builder
‎12-04-2017 12:21 PM

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

OzzySplunker
Loves-to-Learn Lots
‎09-27-2021 02:43 PM

The highlighted solution did not work for me. We are using Splunk Cloud, and even though I had the Addon Metadata - Summarize AWS Inputs enabled on the IDM, it the VPC Flow Logs - Traffic Analysis dashboard was still not populating.

My solution was that I had to manually run some saved searches on the IDM to build lookups for the dashboard:

  • VPC Flow Logs Summary Generator - Dest IP
  • VPC Flow Logs Summary Generator - Dest Port
  • VPC Flow Logs Summary Generator - Src IP

 

0 Karma
Reply
Solved! Jump to solution
Solution

_smp_
Builder
‎12-04-2017 12:21 PM

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

0 Karma
Reply
Solved! Jump to solution

joemilli
New Member
‎06-08-2018 01:41 PM

hey Scott, thank you. I found it.

0 Karma
Reply
Solved! Jump to solution

joemilli
New Member
‎06-08-2018 11:32 AM

Hi, I can not seem to find the screen to enable this setting. Running 7.0.0:
alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

_smp_
Builder
‎06-08-2018 01:14 PM

You are looking at the App, not the Add-On. But the search I'm referring to cannot be found navigating the Add-On either. Click on Settings > Searches, reports, and alerts, select the 'App: Splunk Add-on for AWS (Splunk_TA_aws)' filter (or 'All'), and find look for the 'Addon Metadata - Summarize AWS Inputs' search.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...