Skip to main content
Splunk Lantern

Current AWS elastic block store volumes

You might want to retrieve basic information about your elastic block store (EBS) volumes when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Insights into how many, what size, what types, current snapshot size, and usage of EBS volumes are all valuable information for cost and potential performance ramifications. In addition, unused EBS volumes are very common and eliminating them provides an easy way to reduce cost in your AWS environment. As an IT administrator, you want to start monitoring this information. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
source="*:ec2_volumes" sourcetype="aws:description"
|dedup id sortby -_time
|table account_id zone id snapshot_id type size  attach_data.instance_id status
|sort -size -status 

Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

source="*:ec2_volumes" sourcetype="aws:description"

Search only your EC2 volumes and filter by description data.

|dedup id sortby -_time

Remove duplicate instances by ID and sort the remaining results with the most recent instances first. 

|table account_id zone id snapshot_id type size  attach_data.instance_id status

Display the results in a table with columns in the order shown.

|sort -size -status 

Sort the results by size and status in descending order.

Result

Sample results for this search are shown in the table below. They serve as a good baseline for understanding the EBS inventory, scale, location, type, and usage. 

account_id zone id snapshot_id type size attach_data.instance_id status

63605715280

ap-southeast-1a

vol-1823a616

snap-b71cfa5b

standard

500

i-18472f4e

in-use

63605715280

ap-southeast-1b

vol-f01626f8

snap-742b7598

standard

300

i-33b05718

in-use

63605715280

ap-southeast-1b

vol-f05c08f8

snap-bdf1b850

standard

250

i-6e6a4e46

in-use

63605715280

ap-southeast-1b

vol-i9920707

snap-b71cfa5b

gp2

100

null

available

The sample shown can be augmented by many other fields in this source and sourcetype data. Another useful field is attach_data, which includes the attach time and the deleteOnTermination flag. Knowing these would help you understand the age of volumes and could inform a cost reducing policy that requires justification for volumes that are past a certain age. Delete on termination is the default behavior for root volumes. You may want to expand that behavior to other volumes with data that is considered ephemeral. If the data needs to be retained, then having the age of the volume is used for archiving decisions. 

Inventory data such as usage, age and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.

  • Was this article helpful?