You might want to identify resources missing a specific tag when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- AWS description data
- Splunk Add-on for Amazon Web Services
Resource tags are a critical part of the cloud asset management strategy for most organizations. However, with such a flexible design, tag management and analysis can be challenging to review and manage.
You can use this search to identify a resource that is missing a tag that is expected by your organization.
To optimize the search shown below, you should specify a time range.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search:
index="<AWS index name>" sourcetype="aws:description" | dedup id | rex field=source ":(?<resource_type>.*)" | search resource_type IN (ec2_instances) | search (NOT tags.<tag name>=*) | table account_id region, id, tags.*
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:description"||Search the index(s) where AWS data is stored filtered to just the AWS description data.|
|| dedup id||Remove duplicate IDs to get the latest results for each resource.|
|| rex field=source ":(?<resource_type>.*)"||
Extract the type of AWS resource out of the source field.
Modify the IN clause by adding or changing the types of resources to evaluate. Use * to evaluate all resource types. Other resource type examples include ec2_volumes, vpcs, ec2_security_groups, etc.
|| search resource_type IN (ec2_instances)||Filter down to a specific resource type.|
|| search (NOT tags.<tag name>=*)||
Filter down to a specific tag to evaluate. For instance,
|| table account_id region, id, tags.*||Display the results in a table with columns in the order shown.|
The resulting table shows any AWS resource that doesn't have a value for the tag name you chose to search for.