All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where in our Splunk environment do we install the Splunk App for AWS and Splunk Add-on for Amazon Web Services?

pipegrep
Path Finder
‎02-06-2015 02:13 PM

Something's just not clicking here.

Colleagues have EC2 instances in AWS and want to index logs in our internal Splunk environment. I see that they have CloudTrail configured, but I am a complete noob to AWS and my experience with Splunk is not deep.

I see these two apps;
Splunk App for AWS
Splunk Add-on for Amazon Web Services

Where exactly do these apps get installed? On the instance? on the Searchhead?
How can we “bake” splunk in to our instances?
How will we tell which instance the logs are from?

Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎02-07-2015 06:55 AM

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎02-07-2015 06:55 AM

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

Reply
Solved! Jump to solution

pipegrep
Path Finder
‎02-09-2015 07:30 AM

"Install and configure Add-on on a Heavy Forwarder"
Will a universal forwarder work?

0 Karma
Reply
Solved! Jump to solution

_d_
Splunk Employee
Splunk Employee
‎02-09-2015 07:38 AM

Pipegrep, unfortunately it wont because the add-on requires Python that ships with Splunk. A Heavy Forwarder is simply a Splunk instance that does not do any indexing or searching; it only forwards processed data to your indexers.

Reply
Solved! Jump to solution

pipegrep
Path Finder
‎02-09-2015 07:39 AM

Got it. I was coming to the same conclusion reading the docs, thanks d

0 Karma
Reply
Solved! Jump to solution

dolivasoh
Contributor
‎02-06-2015 02:21 PM

If you're using a distributed environment. The app goes on the search head and the add on goes on the indexer. If standalone, both go on the same instance.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top