All Apps and Add-ons

Where in our Splunk environment do we install the Splunk App for AWS and Splunk Add-on for Amazon Web Services?

pipegrep
Path Finder

Something's just not clicking here.

Colleagues have EC2 instances in AWS and want to index logs in our internal Splunk environment. I see that they have CloudTrail configured, but I am a complete noob to AWS and my experience with Splunk is not deep.

I see these two apps;
Splunk App for AWS
Splunk Add-on for Amazon Web Services

Where exactly do these apps get installed? On the instance? on the Searchhead?
How can we “bake” splunk in to our instances?
How will we tell which instance the logs are from?

1 Solution

_d_
Splunk Employee
Splunk Employee

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

View solution in original post

_d_
Splunk Employee
Splunk Employee

I'll address your questions sequentially:

Where exactly do these apps get installed? On the instance? on the Searchhead?

If you have a single Splunk instance (search head), they both get installed and configured in there.

If you have a distributed Splunk environment: (1) Install and configure the App on the Search Head (2) Install and configure Add-on on a Heavy Forwarder (one that forwards to the indexers. You should not configure the add-on on the indexers because each will try to pull data and you'll have duplicates), (3) Install (but not configure) Add-on on search head(s). This last point is about making sure you have all the necessary search-time logic on the Search Head; field extractions, tags, eventtypes etc.
How can we “bake” splunk in to our instances?
Search for the Splunk AMI in the AWS Marketplace and use that to source your instances. Otherwise, if you're referring to your on-prem instances then simply install Splunk.
How will we tell which instance the logs are from?
Logs will be fetched from AWS by the instance that you install the Add-on to.

Make sure you follow the documentation for the add-on and the app:

Splunk App for AWS: https://apps.splunk.com/app/1274/#/documentation
Splunk Add-on for Amazon Web Services: https://apps.splunk.com/app/1876/#/documentation

pipegrep
Path Finder

"Install and configure Add-on on a Heavy Forwarder"
Will a universal forwarder work?

0 Karma

_d_
Splunk Employee
Splunk Employee

Pipegrep, unfortunately it wont because the add-on requires Python that ships with Splunk. A Heavy Forwarder is simply a Splunk instance that does not do any indexing or searching; it only forwards processed data to your indexers.

pipegrep
Path Finder

Got it. I was coming to the same conclusion reading the docs, thanks d

0 Karma

dolivasoh
Contributor

If you're using a distributed environment. The app goes on the search head and the add on goes on the indexer. If standalone, both go on the same instance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...