Splunk App for AWS

Gain critical operational and security visibility into your AWS account using the Splunk App for AWS. The app offers a pre-built knowledge base of dashboards and reports to deliver real-time visibility into your environment using data from AWS CloudTrail, Config and Billing.

• Leverage your CloudTrail data, to get insights into security-related activity such as unauthorized access attempts, simultaneous logins from disparate locations and changes to access control privileges.
• Use your AWS Config data to understand configuration changes AWS resources relationships.
• Correlate CloudTrail and Config data to gain a comprehensive security and compliance view of your account
• Paired with Splunk Add-on for Amazon Web Services, the app also provides critical billing and account information.

To deploy Splunk Enterprise in AWS, find the Splunk Enterprise AMI in the AWS Marketplace . To get all features of Splunk Enterprise as software-as-a-service, check out Splunk Cloud or sign up for our Free Online Sandbox.

Release Notes

What's new in version 3.0:

AWS CloudTrail:

  • Modular input for collection provided by Splunk Add-on for Amazon Web Services
  • New dashboards for AWS CloudTrail:
  • Overview
  • Security
  • Networking
  • Storage
  • Instances
  • User Activity Tracking
  • Alerts for AWS Cloudtrail (use them as templates to build your own or simply customize and enable)

AWS Config:

  • Modular input for collection provided by Splunk Add-on for Amazon Web Services v1.1.0
  • New dashboards for AWS Config:
  • Overview
  • Resource Type Changes
  • Resource Changes
  • Resource Relationship

Billing Reports:

Billing reports are provided by Splunk Add-on for Amazon Web Services. For information on how to enable billing and see associated reports please click here.


WARNING! Version 3 is NOT backwards compatible with version 2. This version is a complete replacement and you may not have the same content.


  • Splunk:
  • Splunk 6.1 or later
  • Splunk Add-on for Amazon Web Services
  • Splunk Add-on for Amazon Web Services +1.1.0 required for AWS Config

  • AWS:

  • AWS CloudTrail: Enable CloudTrail with SQS and SNS. More here
  • AWS Config: Enable Config with SQS and SNS. More here.
  • Billing: Refer to the AWS documentation to turn on AWS detailed billing. Start here

Installation and configuration

Step 1: Download and install Splunk Add-on for Amazon Web Services

  • Use version +1.1.0 of the Add-on collecting AWS Config notifications.
  • To install either version of the Add-on follow these insructions

Step 2: Configure the Add-on

  • To configure your Add-on follow its insructions
  • To configure specific inputs go to Settings > Data inputs in Splunk Web and select AWS CloudTrail and/or AWS Config. For each of the options you will need to select the appropriate AWS Account, SQS Queue Region and SQS Queue Name.
  • Under More Settings the following options are recommended for AWS CloudTrail and AWS Config:

AWS CloudTrail:

  • Data is labeled with sourcetype aws:cloudtrail
  • A separate index named aws-cloudtrail is selected as the destination index

AWS Config:

  • Data is labeled with sourcetype aws:config
  • A separate index named aws-config is selected as the destination index

Step 3 Install and configure the Splunk App for AWS

Install the app on your Search Head either via UI or CLI

UI install:

  • Download from Splunk Apps.
  • From the Splunk Web interface, click on Apps > Manage Apps to open the Apps Management page.
  • Click Install app from file, locate the downloaded file, and click Upload.
  • Restart Splunk Enterprise if instructed to do so.


  • If index and sourcetype definitions are the same as above, no other action are necessary. Otherwise, change macros.conf to reflect appropriate CloudTrail and Config index and sourcetype selections.
  • Enable and modify AWS CloudTrail Alerts according to your requirements. Alerts ship disabled and with a default scheduled interval of 15min.

Notes on lookup files:

  • all_eventName.csv: an automatically updated file with AWS CloudTrail eventNames. The file also contains a 'highlight' field that is used to base highlighting of CloudTrail's eventName in dashboards. Use this field to color eventNames according to your severity definitions.
  • protocols.csv: a static lookup table with network protocol numbers-to-name translations
  • regions: a static lookup table with AWS regions and their geographical locations
  • resourceType.csv: an automatically updated file with AWS Config resource types.

I already know Splunk!

If you are an experienced Splunk administrator, here are the key points for this app:

  • Requires installation of the Splunk add-on for AWS
  • To collect AWS Config data, you must use version +1.1.0 of the Add-on
  • This app is NOT backwards compatible with v2 and is completely new: do not install if you want to keep stuff from v2
  • It recommends the use of these index names: aws-cloudtrail, aws-config
  • It uses these two sourcetypes: aws:cloudtrail, aws:config
  • Installs the above lookups.

18 ratings

Version 3.0.2

Community Supported

Ask a Question

This app is published by Splunk but is not officially Splunk supported.

Built by Splunk Inc