All Apps and Add-ons

Splunk App for AWS: VPC Flow Logs – Empty inputs on the Traffic Analysis dashboard

_smp_
Builder

I have configured a VPC Flow Log input on my heavy forwarder (HF) and confirmed I am getting the correct data in the index. But on the VPC Flow Logs - Traffic Analysis dashboard, only the Account ID input is the only input being populated. While troubleshooting, I looked at the Simple XML of the dashboard and it looks like there are quite a few searches referencing a strange field value. For example, here is the search which is supposed to populate the Interface ID input:

`aws-vpc-flow-log-index` source="dest_ip" $accountId$ | stats count by interface_id

The thing that looks odd to me is source="dest_port" - the source field never has a value of the string dest_port. There are a number of other searches in the dashboard looking for the same value of the source field, and a few more looking for a value of source="src_ip". When I take out that field from the Interface ID field search, I get the values I would expect.

It seems very odd that so many searches in this dashboard would look for these field values, but it also seems very wrong that I would have to hack the XML this much. Any idea what's going on here?

0 Karma
1 Solution

_smp_
Builder

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

View solution in original post

0 Karma

_smp_
Builder

After further study of the documentation, I enabled the saved search Addon Metadata - Summarize AWS Inputs on my Search Head, and this seems to have done the trick. I am starting to get data in the Dashboard now.

View solution in original post

0 Karma

joemilli
New Member

hey Scott, thank you. I found it.

0 Karma

joemilli
New Member

Hi, I can not seem to find the screen to enable this setting. Running 7.0.0:
alt text

0 Karma

_smp_
Builder

You are looking at the App, not the Add-On. But the search I'm referring to cannot be found navigating the Add-On either. Click on Settings > Searches, reports, and alerts, select the 'App: Splunk Add-on for AWS (Splunk_TA_aws)' filter (or 'All'), and find look for the 'Addon Metadata - Summarize AWS Inputs' search.