How can Splunk App for AWS and TA for AWS on Searc...

purvipathak · ‎12-28-2017

The Splunk App for AWS and the AWS TA are running on the Search head. The TA is also installed on the Heavy Forwarder. We are able to run the "listawsinputs" command on the TA on the Heavy Forwarder but it is not running on the TA on the search head. The listawsinputs is required to make the Topology dashboard run on the Splunk App for AWS. What can be done to make the two TAs communicate with each other?

nickhills · ‎12-28-2017

They don't talk to 'each other' - they talk via an index!.

When you run the scheduled search on your configured HF it runs
| listawsinputs | collect 'aws-input-index'

The collect statement tells Splunk to write the results of the list command into a summary index defined by aws-input-index
The App on the SH then queries the same summary index, to work out which inputs you HF has been configured with.

You need to make sure that the summary indexes are created on your indexers - otherwise the HFs won't write it into the correct index, and the SH wont be able to find it.

Distribute the summary index

configurations to the indexer:

Copy $SPLUNK_HOME/etc/apps/splunk_apps_aws/default/indexes.conf
from the search head to a temporary
directory on the indexer and then
merge all the settings in the file
into
$SPLUNK_HOME/etc/apps/search/local/indexes.conf
to incorporate the summary index
configurations.

http://docs.splunk.com/Documentation/AWS/5.1.0/Installation/Installon-prem

If my comment helps, please give it a thumbs up!

How can Splunk App for AWS and TA for AWS on Search head communicate with Splunk TA for AWS on Heavy Forwarder?

configurations to the indexer:

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes