All Apps and Add-ons

Where in our Splunk environment do we install the Splunk App for AWS and Splunk Add-on for Amazon Web Services?

Path Finder

Something's just not clicking here.

Colleagues have EC2 instances in AWS and want to index logs in our internal Splunk environment. I see that they have CloudTrail configured, but I am a complete noob to AWS and my experience with Splunk is not deep.

I see these two apps;
Splunk App for AWS
Splunk Add-on for Amazon Web Services

Where exactly do these apps get installed? On the instance? on the Searchhead?
How can we “bake” splunk in to our instances?
How will we tell which instance the logs are from?

1 Solution

Splunk Employee
Splunk Employee

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

View solution in original post

Splunk Employee
Splunk Employee

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

View solution in original post

Path Finder

"Install and configure Add-on on a Heavy Forwarder"
Will a universal forwarder work?

0 Karma

Splunk Employee
Splunk Employee

Pipegrep, unfortunately it wont because the add-on requires Python that ships with Splunk. A Heavy Forwarder is simply a Splunk instance that does not do any indexing or searching; it only forwards processed data to your indexers.

Path Finder

Got it. I was coming to the same conclusion reading the docs, thanks d

0 Karma

Contributor

If you're using a distributed environment. The app goes on the search head and the add on goes on the indexer. If standalone, both go on the same instance.

0 Karma