Skip to main content
 
 
 
Splunk Lantern

Current AWS elastic load balancer instances

 

Your organization has a large number of ELB instances currently deployed to AWS. You want to be able to quickly take an inventory of all of them, as well as their configured fully qualified domain names (FQDNs), to better manage your cloud infrastructure.

Data required

AWS: Description data

Procedure

  1. Configure the Splunk Add-on for Amazon Web Services.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    source="*_load_balancers" sourcetype="aws:description" 
    |eval name=if(isnull(name),LoadBalancerName,name), vpc_id=if(isnull(vpc_id),VpcId,vpc_id), dns_name=if(isnull(dns_name),DNSName,dns_name), id=((((name . "#") . account_id) . "#") . region) 
    |dedup id sortby - created_time
    |table account_id created_time region name dns_name vpc_id

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

source="*_load_balancers" sourcetype="aws:description"

Search only your load balancers and filter by description data.

|eval name=if(isnull(name),LoadBalancerName,name), vpc_id=if(isnull(vpc_id),VpcId,vpc_id), dns_name=if(isnull(dns_name),DNSName,dns_name), id=((((name . "#") . account_id) . "#") . region)

If the name field is null, set it to the value in LoadBalancer, otherwise set name to name. Repeat for the vpc_id and dns_name fields.

Create the id field as a concatenation of name, account_id, and region with the “#” in between.

|dedup id sortby - created_time

Remove duplicate instances by ID and sort the remaining results with the most recent instances first.

|table account_id created_time region name dns_name vpc_id

Display the results in a table with columns in the order shown.

Next steps

Sample results for this search are shown in the table below. Created_time is an interesting field to sort on because you could determine how long the ELB has been in service. The table also shows information on network dns, virtual private cloud id, location, and account owner. Other fields that are available but not shown below include subnets, ports, protocols, listener, and instance state and ssl_certificate_id. Depending on the information you are trying to track, these might be of interest to add to the table or track separately.

account_id created_time region name dns_name vpc_id

63605715280

2015-11-11T06:00:57.730Z

ap-southeast-1

TestELB3

TestELB2-1018970143.ap-southeast-1.elb.amazonaws.com

vpc-d2d110ba

63605715280

2015-11-11T06:00:57.730Z

ap-southeast-1

TATestELB6

TestELB2-1018970143.ap-southeast-1.elb.amazonaws.com

vpc-d2d110ba

63605715280

2015-12-09T09:01:33.070Z

ap-southeast-1

SaaSQATestELB3

SaaSQATestELB3-792083005.ap-southeast-1.elb.amazonaws.com

vpc-d2d110ba

63605715280

2015-12-11T10:05:10.170Z

ap-southeast-1

TAtestelb3

saastestelb-1720685174.ap-southeast-1.elb.amazonaws.com

vpc-d2d110ba

63605715280

2015-11-12T14:54:21.170Z

ap-southeast-1

TATestELB5

TestELB1-2109315026.ap-southeast-1.elb.amazonaws.com

vpc-d2d110ba

Finally, you might be interested in other processes associated with the Managing an Amazon Web Services environment use case.