Skip to main content

 

Splunk Lantern

Missing AWS resource tags

You might want to identify resources missing a specific tag when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Resource tags are a critical part of the cloud asset management strategy for most organizations. However, with such a flexible design, tag management and analysis can be challenging to review and manage.

You can use this search to identify a resource that is missing a tag that is expected by your organization.

To optimize the search shown below, you should specify a time range.

  1. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
  2. Run the following search: 
index="<AWS index name>" sourcetype="aws:description"
| dedup id
| rex field=source ":(?<resource_type>.*)"
| search resource_type IN (ec2_instances)
| search (NOT tags.<tag name>=*)
| table account_id region, id, tags.*

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:description" Search the index(s) where AWS data is stored filtered to just the AWS description data. 
| dedup id Remove duplicate IDs to get the latest results for each resource.
| rex field=source ":(?<resource_type>.*)"

Extract the type of AWS resource out of the source field.

Modify the IN clause by adding or changing the types of resources to evaluate. Use * to evaluate all resource types. Other resource type examples include ec2_volumes, vpcs, ec2_security_groups, etc.

| search resource_type IN (ec2_instances) Filter down to a specific resource type.
| search (NOT tags.<tag name>=*)

Filter down to a specific tag to evaluate. For instance, tags.Owner would be used to validate that an instance contains a tag called 'Owner' populated with some value

| table account_id region, id, tags.* Display the results in a table with columns in the order shown.

Result

The resulting table shows any AWS resource that doesn't have a value for the tag name you chose to search for.

  • Was this article helpful?