Current AWS elastic block store volumes
Insights into how many, what size, what types, current snapshot size, and usage of EBS volumes are all valuable information for cost and potential performance ramifications. In addition, unused EBS volumes are very common and eliminating them provides an easy way to reduce cost in your AWS environment. As an IT administrator, you want to start monitoring this information.
Data required
AWS: Description data
Procedure
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="*:ec2_volumes" sourcetype="aws:description" |dedup id sortby -_time |table account_id zone id snapshot_id type size attach_data.instance_id status |sort -status
Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
|
Search only your EC2 volumes and filter by description data. |
|
Remove duplicate instances by ID and sort the remaining results with the most recent instances first. |
|
Display the results in a table with columns in the order shown. |
|
Sort the results by status in descending order. |
Next steps
Sample results for this search are shown in the table below. They serve as a good baseline for understanding the EBS inventory, scale, location, type, and usage.
account_id |
zone |
id |
snapshot_id |
type |
size |
attach_data.instance_id |
status |
---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The sample shown can be augmented by many other fields in this source and source type data. Another useful field is attach_data
, which includes the attach time and the deleteOnTermination
flag. Knowing these would help you understand the age of volumes and could inform a cost reducing policy that requires justification for volumes that are past a certain age. Delete on termination is the default behavior for root volumes. You may want to expand that behavior to other volumes with data that is considered ephemeral. If the data needs to be retained, then having the age of the volume is used for archiving decisions.
Inventory data such as usage, age and location can be used to find efficiencies, which are important in a cloud environment due to usage fees. This type of information can help you maintain infrastructure in the most cost effective way.
Finally, you might be interested in other processes associated with the Managing an Amazon Web Services environment use case.